dcrat | 4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Size

1.5MB
MD5

2383d038dfb2be0c8b36e110ed0961f9
SHA1

5bdd5b73a677d9161b8a7d43f453cd05c7bcbe02
SHA256

4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74
SHA512

40f475788d97ddddb07b49ff4373737bf58eb2b3a99cd0476323b637c83744612d47b8c7cfa2cd6121b81fdc8b328face4e41254597ff357204f7897ad6aa717
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
		4396	schtasks.exe
		8	schtasks.exe
		1808	schtasks.exe
		3476	schtasks.exe
		2472	schtasks.exe
		3908	schtasks.exe
		4572	schtasks.exe
		332	schtasks.exe
		4996	schtasks.exe
		1660	schtasks.exe
		3212	schtasks.exe
		2432	schtasks.exe
		3316	schtasks.exe
		4464	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\Registry.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\Registry.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Windows\\System32\\Storprop\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Windows\\hh\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\Registry.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\", \"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\", \"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\", \"C:\\ProgramData\\ssh\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	1872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1872	schtasks.exe	83

UAC bypass 3 TTPs 45 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4572	powershell.exe
4440	powershell.exe
4740	powershell.exe
1184	powershell.exe
4020	powershell.exe
556	powershell.exe
4800	powershell.exe
112	powershell.exe
4296	powershell.exe
1800	powershell.exe
4252	powershell.exe
1520	powershell.exe
4588	powershell.exe
2092	powershell.exe
936	powershell.exe
448	powershell.exe
3228	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 14 IoCs

pid	Process
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1324	WmiPrvSE.exe
2300	WmiPrvSE.exe
1248	WmiPrvSE.exe
1648	WmiPrvSE.exe
4272	WmiPrvSE.exe
2924	WmiPrvSE.exe
2448	WmiPrvSE.exe
4444	WmiPrvSE.exe
220	WmiPrvSE.exe
3064	WmiPrvSE.exe
2068	WmiPrvSE.exe
4396	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\ssh\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Storprop\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\hh\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\Registry.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\Registry.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\Microsoft.AppV.AppVClientWmi\\WmiPrvSE.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\bthudtask\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\hh\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\WinBioDataModelOOBE\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\fthsvc\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\sysmon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\ssh\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Storprop\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WMPhoto\\fontdrvhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\LicensingDiagSpp\\RuntimeBroker.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinBioDataModelOOBE\5940a34987c991	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\bthudtask\RuntimeBroker.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\Storprop\dwm.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\fthsvc\fontdrvhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\WinBioDataModelOOBE\dllhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\WMPhoto\RCXE3FB.tmp	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\LicensingDiagSpp\RuntimeBroker.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\24dbde2999530e	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\fthsvc\5b884080fd4f94	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\fthsvc\RCXE1F7.tmp	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\WinBioDataModelOOBE\dllhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\LicensingDiagSpp\9e8d7a4ca61bd9	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\LicensingDiagSpp\RuntimeBroker.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\bthudtask\9e8d7a4ca61bd9	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\Storprop\6cb0b6c459d5d3	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\WMPhoto\fontdrvhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\WMPhoto\fontdrvhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\bthudtask\RuntimeBroker.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\Storprop\dwm.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\fthsvc\fontdrvhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\WMPhoto\5b884080fd4f94	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\csrss.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Program Files\ModifiableWindowsApps\Registry.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\hh\sysmon.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\hh\121e5b5079f7c0	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\38384e6a620884	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\hh\sysmon.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	WmiPrvSE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1808	schtasks.exe
332	schtasks.exe
1660	schtasks.exe
4396	schtasks.exe
4464	schtasks.exe
3212	schtasks.exe
2432	schtasks.exe
4996	schtasks.exe
3316	schtasks.exe
8	schtasks.exe
3476	schtasks.exe
2472	schtasks.exe
3908	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
556	powershell.exe
1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
4020	powershell.exe
4572	powershell.exe
4440	powershell.exe
1520	powershell.exe
4440	powershell.exe
556	powershell.exe
4572	powershell.exe
4020	powershell.exe
1520	powershell.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
4588	powershell.exe
2092	powershell.exe
936	powershell.exe
4800	powershell.exe
4800	powershell.exe
2092	powershell.exe
4588	powershell.exe
936	powershell.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1324	WmiPrvSE.exe
Token: SeDebugPrivilege	2300	WmiPrvSE.exe
Token: SeDebugPrivilege	1248	WmiPrvSE.exe
Token: SeDebugPrivilege	1648	WmiPrvSE.exe
Token: SeDebugPrivilege	4272	WmiPrvSE.exe
Token: SeDebugPrivilege	2924	WmiPrvSE.exe
Token: SeDebugPrivilege	2448	WmiPrvSE.exe
Token: SeDebugPrivilege	4444	WmiPrvSE.exe
Token: SeDebugPrivilege	220	WmiPrvSE.exe
Token: SeDebugPrivilege	3064	WmiPrvSE.exe
Token: SeDebugPrivilege	2068	WmiPrvSE.exe
Token: SeDebugPrivilege	4396	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4020	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	89
PID 1932 wrote to memory of 4020	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	89
PID 1932 wrote to memory of 4572	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	90
PID 1932 wrote to memory of 4572	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	90
PID 1932 wrote to memory of 556	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	91
PID 1932 wrote to memory of 556	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	91
PID 1932 wrote to memory of 4440	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	92
PID 1932 wrote to memory of 4440	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	92
PID 1932 wrote to memory of 1520	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	93
PID 1932 wrote to memory of 1520	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	93
PID 1932 wrote to memory of 4028	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	98
PID 1932 wrote to memory of 4028	1932	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	98
PID 4028 wrote to memory of 3228	4028	cmd.exe	101
PID 4028 wrote to memory of 3228	4028	cmd.exe	101
PID 4028 wrote to memory of 3656	4028	cmd.exe	105
PID 4028 wrote to memory of 3656	4028	cmd.exe	105
PID 3656 wrote to memory of 4588	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	112
PID 3656 wrote to memory of 4588	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	112
PID 3656 wrote to memory of 4800	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	113
PID 3656 wrote to memory of 4800	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	113
PID 3656 wrote to memory of 2092	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	114
PID 3656 wrote to memory of 2092	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	114
PID 3656 wrote to memory of 936	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	115
PID 3656 wrote to memory of 936	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	115
PID 3656 wrote to memory of 1524	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	120
PID 3656 wrote to memory of 1524	3656	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	120
PID 1524 wrote to memory of 448	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	134
PID 1524 wrote to memory of 448	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	134
PID 1524 wrote to memory of 3228	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	135
PID 1524 wrote to memory of 3228	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	135
PID 1524 wrote to memory of 112	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	136
PID 1524 wrote to memory of 112	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	136
PID 1524 wrote to memory of 4296	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	137
PID 1524 wrote to memory of 4296	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	137
PID 1524 wrote to memory of 4740	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	138
PID 1524 wrote to memory of 4740	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	138
PID 1524 wrote to memory of 1184	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	139
PID 1524 wrote to memory of 1184	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	139
PID 1524 wrote to memory of 4252	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	140
PID 1524 wrote to memory of 4252	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	140
PID 1524 wrote to memory of 1800	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	141
PID 1524 wrote to memory of 1800	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	141
PID 1524 wrote to memory of 1324	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	150
PID 1524 wrote to memory of 1324	1524	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	150
PID 1324 wrote to memory of 3680	1324	WmiPrvSE.exe	151
PID 1324 wrote to memory of 3680	1324	WmiPrvSE.exe	151
PID 1324 wrote to memory of 3956	1324	WmiPrvSE.exe	152
PID 1324 wrote to memory of 3956	1324	WmiPrvSE.exe	152
PID 3680 wrote to memory of 2300	3680	WScript.exe	153
PID 3680 wrote to memory of 2300	3680	WScript.exe	153
PID 2300 wrote to memory of 4484	2300	WmiPrvSE.exe	154
PID 2300 wrote to memory of 4484	2300	WmiPrvSE.exe	154
PID 2300 wrote to memory of 3520	2300	WmiPrvSE.exe	155
PID 2300 wrote to memory of 3520	2300	WmiPrvSE.exe	155
PID 4484 wrote to memory of 1248	4484	WScript.exe	158
PID 4484 wrote to memory of 1248	4484	WScript.exe	158
PID 1248 wrote to memory of 4452	1248	WmiPrvSE.exe	160
PID 1248 wrote to memory of 4452	1248	WmiPrvSE.exe	160
PID 1248 wrote to memory of 4440	1248	WmiPrvSE.exe	161
PID 1248 wrote to memory of 4440	1248	WmiPrvSE.exe	161
PID 4452 wrote to memory of 1648	4452	WScript.exe	162
PID 4452 wrote to memory of 1648	4452	WScript.exe	162
PID 1648 wrote to memory of 5108	1648	WmiPrvSE.exe	163
PID 1648 wrote to memory of 5108	1648	WmiPrvSE.exe	163

System policy modification 1 TTPs 45 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
"C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\WinMSIPC\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fthsvc\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WMPhoto\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7o45zQOWo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3228
- - C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
    "C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WinBioDataModelOOBE\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\ssh\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\LicensingDiagSpp\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
      "C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\bthudtask\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\hh\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Storprop\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        "C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1324
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d44ebec-5f16-4aca-89aa-63f548afc199.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0522a37-6dcb-4641-b840-d05cd46bc4f0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d82bb7dc-c69b-45b2-8eb4-286c0c4432bb.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0a113d-ea97-40ca-a2df-1b5d7953d599.vbs"
        12⤵
        
        PID:5108
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2b217f2-962e-4590-8885-9091cf70863f.vbs"
        14⤵
        
        PID:1664
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6190aa6-a28c-475d-b9d2-6252efd6cf03.vbs"
        16⤵
        
        PID:4064
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48597fa1-c5d0-47d4-9b1e-c5131bccfb93.vbs"
        18⤵
        
        PID:2460
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d812b47b-0e28-4898-b37b-d5f8815b7ff1.vbs"
        20⤵
        
        PID:1876
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e088693-7314-4512-984d-1a042ec436ff.vbs"
        22⤵
        
        PID:4256
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14ac4a94-ebe1-43a5-a42e-0c66d1a266d4.vbs"
        24⤵
        
        PID:1584
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\580e3237-8eff-4a3e-80c3-2b22f3fd6ce1.vbs"
        26⤵
        
        PID:1092
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        
        C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c868cf2-ff42-4ba9-93bf-bb0dafdd90da.vbs"
        28⤵
        
        PID:4680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f3c8b2-e21f-464a-912b-3ac8d8bf9a17.vbs"
        28⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\565091e9-a06d-4459-b910-e36b0186a8eb.vbs"
        26⤵
        
        PID:4852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714b157c-9dc7-48db-85c2-b4b0e7c315bf.vbs"
        24⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\037ebfda-fc10-4dba-b394-195bf6ed19d2.vbs"
        22⤵
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbd3155f-fc91-4058-a023-be45fc185c53.vbs"
        20⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c758234-0c16-4a20-92ab-dbc9de09a9be.vbs"
        18⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23410639-66d4-483f-a4ca-e40f64649b81.vbs"
        16⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\168c49fe-1bc9-4af9-85be-cec60d793220.vbs"
        14⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f403609-251c-4025-aa98-54c2e37b2398.vbs"
        12⤵
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d3c9cea-71fc-44f9-86fd-3b648a5ed251.vbs"
        10⤵
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e344075-d9a5-4eec-904b-795101eeb813.vbs"
        8⤵
        
        PID:3520
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9accc7-05f9-426d-9ddb-eabf414299c8.vbs"
        6⤵
        
        PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\WinMSIPC\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\fthsvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\WMPhoto\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\WinBioDataModelOOBE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\ssh\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\LicensingDiagSpp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\bthudtask\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\hh\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\Microsoft.AppV.AppVClientWmi\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Storprop\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1008cfb29cdc25b4180c736ec404335

SHA1
39760fbcc8c1a64e856e98d61ce194d39b727438

SHA256
0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

SHA512
00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c65338524586fc00cf00e679a7d4a1f4

SHA1
62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae

SHA256
faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6

SHA512
c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c0a113d-ea97-40ca-a2df-1b5d7953d599.vbs

Filesize
742B

MD5
c55a015e9f0920d511134d9a6e352afc

SHA1
1088aded73dda422ef4bc0cd06eb35690261f1e8

SHA256
4a489be6116f44227026074be9a5ac7ffa953e2cc07e11e3bca76d9127719ddd

SHA512
3e3be35120821eef9522f4e93b6e7ce3756d1a3512343a2f5725ba211e6e60a8e1ffcccacf35d3417aacfbcae5c2135e979ccc177bd9448dc5a48aea97fd4114

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e088693-7314-4512-984d-1a042ec436ff.vbs

Filesize
741B

MD5
b154c93a8f0f1aa120d5ff6e0ced1e07

SHA1
65e04df55d27499c482fe51933b942db1fe34560

SHA256
63619200c02a8fff32203fdb12211842cab1b8f88e0d047182526464426042d7

SHA512
a8ea33bae15666bedfe7de6cf731da7b5f6e90bc55d3c81478971b585f317c3da710cf4caf2b65439290173adaf85b96ee190dab4b9c7c20e26dbc2c6d88cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\14ac4a94-ebe1-43a5-a42e-0c66d1a266d4.vbs

Filesize
742B

MD5
0d7fe4fe6fdc121394679bbd2d1698d2

SHA1
1eb695f5d510b19ea8cad1b68549e97f5569c7b9

SHA256
dff4d60f8859ffa77e6baab2c12b486e7f7ffeb1b6963402813b81e1bc073a6e

SHA512
d1b526103da1e7fcdc4547a6862a827d632e61d486aa48214a2844785101bc8cec881dd4719f3efb47ca3bfd28ae4b36078e3de0081eddd47dd420a8f7d4c767

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a9accc7-05f9-426d-9ddb-eabf414299c8.vbs

Filesize
518B

MD5
50f891b62fa9c6b1ee6c8a6f61098ee7

SHA1
a8a0a889a217794392088649eeac440470d5fd60

SHA256
c907d3c1a85d1620c31c03ba7982eec1ba4af2ccaf4f40ad639ae1a4ba7eddea

SHA512
4b8ad3ddcc3cd05658a286dcd367b31436ee8f0a898f0c8155190d8b3745a2ed3f01f1009a17f7273b1ba75526c13859884fea01b8f16d812752985a45f2f5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d44ebec-5f16-4aca-89aa-63f548afc199.vbs

Filesize
742B

MD5
89a7d3067b0847602a21b8ca2cf265a6

SHA1
087695060c2c4ea98e3c6ab3b062472e419a9387

SHA256
a311fa1b1f34c9bbd9566d3cec57ab1b354922d13a1f442b280c1d820a50dae9

SHA512
f0894fb864be654da93de167cfddb9a8e7417fb6ad63a5f8aaa75146c7258f475db4fb36875fc5ebe6d93580529ca3f124a91961ede3827d086d569d15efbb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\48597fa1-c5d0-47d4-9b1e-c5131bccfb93.vbs

Filesize
742B

MD5
c24749e9103cb2c316d4fe709fd1e9af

SHA1
6e6c147a133a1503315ed6b7e5abb6c6c90e90b5

SHA256
5639970a1ea10f68a7e12c584f91181a6c14cf4ed0741b410ed30b499c7e4aa6

SHA512
052d9a9f62eb995dfa64308c7388645301d3d600eb85ea2162291d98a2aa8f5ac65d373e959e7bd892d261c01fe0cb674f47996d97e07aabe921b9b3832e007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suuxucus.y14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0522a37-6dcb-4641-b840-d05cd46bc4f0.vbs

Filesize
742B

MD5
df50e357f860d72d31c7ead27c3ce4bd

SHA1
c3582d9f6d06022cedf3816300b9902f22b2afe8

SHA256
161f9612b723aeed736f814dcb8db673e1b0876f98c9bb91c39f9fee7a994880

SHA512
3f9047abcfcc46c59a131a321013327d42a37b5b98492ec0309802a96b3df08405a39594b33cf44c69dba22836b1e9138da60e3bfa76e7f2da7dcdcb54ccc719

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6190aa6-a28c-475d-b9d2-6252efd6cf03.vbs

Filesize
742B

MD5
b3cc14daccced3e647f054e308811f01

SHA1
08e38cd0cf38e05d5280e76767e70d5a32e772fc

SHA256
27bf4fa24edc9e952ead4be519237a926fd6d4f3cd061e778d16d958987f6e74

SHA512
211c92672d56f24e31945bdda85c9d50c98ffb1863b29fe8b00ca6518b46795c6fe7f231cb9c40a9275772a974d439e5706221df6b5b5eea8755740c6a497bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d812b47b-0e28-4898-b37b-d5f8815b7ff1.vbs

Filesize
742B

MD5
db97faebd5d07849d346ea8e76fa4739

SHA1
1a10ea16c4a561533da8b8190dcab430d961467b

SHA256
c8b9f6d32fffa8af5da356c870aa0536cd9574debafb3dc7dd9befe883dc11a8

SHA512
892b86e3f366bad935b1a005099f533e88d54344af00af8121a01747d67b6fcb543c922d6a62e747cf281a564228bf4e890b9264939d7f5f76040f6be4391b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\d82bb7dc-c69b-45b2-8eb4-286c0c4432bb.vbs

Filesize
742B

MD5
14a11f405da2cf5ec29f12292e1c1d85

SHA1
5d0e8bb0eeb99a3df27ff6876d61dd6e6a172e0c

SHA256
a025c703aeaf6df66cb413302a703417d84179112cb13ab68883a1cf2955ee8b

SHA512
f9a319820ddf2bec4d25b9359cee1c7534f9b380602187c7f67a139a7c1ada3e409387326fc1c58117d15b4032aba156a392b5c0e7f1a5db55dde5207f307d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2b217f2-962e-4590-8885-9091cf70863f.vbs

Filesize
742B

MD5
41196ebe53e67ce76b98865318ed877a

SHA1
01ea61d31b907741119269eb7b754c0af3fc653d

SHA256
6467154467b8c5113eb4093beeef75ec5f91f7c8499da4e225bed08ea1481368

SHA512
b9b62e3c410e1c910e11906acde35b1ded4d9af8f6c4541719db90e0920e34ef966fb930eff7b469d51fef3da9119f567012a21703dd0214b1538d6dcfb0481e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
364B

MD5
311bdc8f0d9869c7a314a60c1c9275f8

SHA1
485bb0290a3287dcc4e8e867f23b93de3fcb37a6

SHA256
85dfbf78bf54249f5d90bd1bb4d41caa3a2330b52cdaaa3354e91c7e8e1fff5b

SHA512
73c2c78e9ede73e43e23cbe0d5c85d370871f1d85ba0f8f5a2aa9e0fffa313a21438cd716dc2b6d84070792f6b0866fd01b5095706e6f4cf733841f4c717a0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
748B

MD5
5105d4e4720c44e5ce9f475d4b1ae687

SHA1
6a5c355ef1616b09fcdf32dac849d2ff1a21cd10

SHA256
69bb0db441012265ce40b08b7d404982997db8167e853d04a4c5d361fa34f9fa

SHA512
7501a780f63bae97ef5a95425b98171f9815d2ace42a02424cc141b8c8acdcd069d8c54864e4891614bba3746a058b7539442afda547adc832e9cb5427a506c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7o45zQOWo.bat

Filesize
266B

MD5
616614709c4c49496daa368e30dd4c50

SHA1
b31fdbc91f87e0c647c1528355eccb5aa6e060b9

SHA256
b321708349c4d5a774f423aa9e4f3d1169b4da76ec432658dc8683a421d54fe5

SHA512
9eaa0cb2180d1f1a5a96e649a058694f35002ddc5a6b7dde344f571b9c84dc2ccaee82d6ab46af814434cb336eadc221297ba84a0d05697235107de3d0e4fb70

Download Submit
C:\Users\dllhost.exe

Filesize
1.5MB

MD5
2383d038dfb2be0c8b36e110ed0961f9

SHA1
5bdd5b73a677d9161b8a7d43f453cd05c7bcbe02

SHA256
4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74

SHA512
40f475788d97ddddb07b49ff4373737bf58eb2b3a99cd0476323b637c83744612d47b8c7cfa2cd6121b81fdc8b328face4e41254597ff357204f7897ad6aa717

Download Submit
memory/220-468-0x000000001C550000-0x000000001C652000-memory.dmp

Filesize
1.0MB

Download
memory/556-78-0x000001B5BF060000-0x000001B5BF082000-memory.dmp

Filesize
136KB

Download
memory/1324-348-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/1932-16-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/1932-6-0x0000000002AA0000-0x0000000002AAA000-memory.dmp

Filesize
40KB

Download
memory/1932-62-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-25-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-24-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-21-0x000000001BC80000-0x000000001BC88000-memory.dmp

Filesize
32KB

Download
memory/1932-20-0x000000001BB70000-0x000000001BB7C000-memory.dmp

Filesize
48KB

Download
memory/1932-18-0x000000001BB60000-0x000000001BB68000-memory.dmp

Filesize
32KB

Download
memory/1932-0-0x00007FFBE9023000-0x00007FFBE9025000-memory.dmp

Filesize
8KB

Download
memory/1932-17-0x000000001BB50000-0x000000001BB5C000-memory.dmp

Filesize
48KB

Download
memory/1932-15-0x000000001BB30000-0x000000001BB3A000-memory.dmp

Filesize
40KB

Download
memory/1932-14-0x000000001B510000-0x000000001B51C000-memory.dmp

Filesize
48KB

Download
memory/1932-11-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/1932-12-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/1932-13-0x000000001B500000-0x000000001B50A000-memory.dmp

Filesize
40KB

Download
memory/1932-10-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/1932-9-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/1932-8-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

Filesize
32KB

Download
memory/1932-1-0x00000000006E0000-0x000000000085E000-memory.dmp

Filesize
1.5MB

Download
memory/1932-87-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-2-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-7-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

Filesize
48KB

Download
memory/1932-3-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/1932-5-0x000000001B490000-0x000000001B49C000-memory.dmp

Filesize
48KB

Download
memory/1932-4-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/2068-485-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/2068-494-0x000000001BDC0000-0x000000001BEC2000-memory.dmp

Filesize
1.0MB

Download
memory/2448-443-0x000000001BF70000-0x000000001C072000-memory.dmp

Filesize
1.0MB

Download
memory/2448-432-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download
memory/2924-420-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3064-470-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/3064-481-0x000000001BAB0000-0x000000001BBB2000-memory.dmp

Filesize
1.0MB

Download
memory/3064-483-0x000000001BAB0000-0x000000001BBB2000-memory.dmp

Filesize
1.0MB

Download
memory/4272-408-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/4396-502-0x000000001C5E0000-0x000000001C6E2000-memory.dmp

Filesize
1.0MB

Download
memory/4444-445-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download
memory/4444-456-0x000000001C740000-0x000000001C842000-memory.dmp

Filesize
1.0MB

Download