dcrat | e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Size

1.5MB
MD5

19d9a08825aa6caf9eb842eff80964cc
SHA1

e2d3e68847540e9911b5794d7f405e7e2306c4f7
SHA256

e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970
SHA512

46cd84d8412d19baf1cd484fb9fd8de8ef32b67be5a9573a84d17df60e3ab5bde34cdefead852bd3840ca29610b252d940bbc5387022a90c6e7bbe5bdc2bb370
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
		2104	schtasks.exe
		2500	schtasks.exe
		2336	schtasks.exe
		2880	schtasks.exe
		2992	schtasks.exe
		3052	schtasks.exe
		2708	schtasks.exe
		1712	schtasks.exe
		1900	schtasks.exe
		1580	schtasks.exe
		2088	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Windows\\System32\\icsunattend\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Windows\\System32\\icsunattend\\dllhost.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Windows\\System32\\icsunattend\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Windows\\System32\\icsunattend\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\", \"C:\\Windows\\System32\\icsunattend\\dllhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\", \"C:\\PerfLogs\\Admin\\csrss.exe\", \"C:\\PerfLogs\\Admin\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\System.exe\", \"C:\\Windows\\System32\\scrobj\\csrss.exe\", \"C:\\Windows\\System32\\aepdu\\smss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2676	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
1424	powershell.exe
2036	powershell.exe
288	powershell.exe
860	powershell.exe
1812	powershell.exe
2416	powershell.exe
2364	powershell.exe
1116	powershell.exe
1576	powershell.exe
2212	powershell.exe
2400	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Executes dropped EXE 12 IoCs

pid	Process
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2960	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
1588	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2704	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2480	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
640	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
1424	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
352	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2596	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2920	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2296	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASPNETSetup_00001\\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\aepdu\\smss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\wininit.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\scrobj\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\aepdu\\smss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\icsunattend\\dllhost.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Media Player\\System.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\icsunattend\\dllhost.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\scrobj\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\csrss.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\scrobj\csrss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\System32\scrobj\886983d96e3d3e	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\System32\aepdu\smss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\System32\aepdu\69ddcba757bf72	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\System32\icsunattend\5940a34987c991	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\scrobj\RCX4905.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\scrobj\csrss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\aepdu\RCX4B08.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\aepdu\smss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\System32\icsunattend\dllhost.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\icsunattend\RCX5181.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\System32\icsunattend\dllhost.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files\Mozilla Firefox\fonts\886983d96e3d3e	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX4694.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\1610b97d3ab4a7	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\RCX5589.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\System.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX5385.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files (x86)\Windows Media Player\System.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX4F7D.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DtcInstall\explorer.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File created	C:\Windows\DtcInstall\7a0fd90576e088	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\DtcInstall\RCX4D79.tmp	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
File opened for modification	C:\Windows\DtcInstall\explorer.exe	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2104	schtasks.exe
2708	schtasks.exe
1712	schtasks.exe
1900	schtasks.exe
2088	schtasks.exe
2336	schtasks.exe
3052	schtasks.exe
2500	schtasks.exe
1580	schtasks.exe
2992	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
1424	powershell.exe
288	powershell.exe
2364	powershell.exe
1576	powershell.exe
2400	powershell.exe
2236	powershell.exe
2416	powershell.exe
1812	powershell.exe
2036	powershell.exe
860	powershell.exe
1116	powershell.exe
2212	powershell.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2960	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	1588	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2704	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2480	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	640	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	1424	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	352	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2596	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2920	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Token: SeDebugPrivilege	2296	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2236	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	42
PID 2856 wrote to memory of 2236	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	42
PID 2856 wrote to memory of 2236	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	42
PID 2856 wrote to memory of 2416	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	43
PID 2856 wrote to memory of 2416	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	43
PID 2856 wrote to memory of 2416	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	43
PID 2856 wrote to memory of 2364	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	44
PID 2856 wrote to memory of 2364	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	44
PID 2856 wrote to memory of 2364	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	44
PID 2856 wrote to memory of 2400	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	46
PID 2856 wrote to memory of 2400	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	46
PID 2856 wrote to memory of 2400	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	46
PID 2856 wrote to memory of 1812	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	49
PID 2856 wrote to memory of 1812	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	49
PID 2856 wrote to memory of 1812	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	49
PID 2856 wrote to memory of 860	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	50
PID 2856 wrote to memory of 860	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	50
PID 2856 wrote to memory of 860	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	50
PID 2856 wrote to memory of 2212	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	52
PID 2856 wrote to memory of 2212	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	52
PID 2856 wrote to memory of 2212	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	52
PID 2856 wrote to memory of 288	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	53
PID 2856 wrote to memory of 288	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	53
PID 2856 wrote to memory of 288	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	53
PID 2856 wrote to memory of 1116	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	54
PID 2856 wrote to memory of 1116	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	54
PID 2856 wrote to memory of 1116	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	54
PID 2856 wrote to memory of 2036	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	55
PID 2856 wrote to memory of 2036	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	55
PID 2856 wrote to memory of 2036	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	55
PID 2856 wrote to memory of 1576	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	56
PID 2856 wrote to memory of 1576	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	56
PID 2856 wrote to memory of 1576	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	56
PID 2856 wrote to memory of 1424	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	58
PID 2856 wrote to memory of 1424	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	58
PID 2856 wrote to memory of 1424	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	58
PID 2856 wrote to memory of 1704	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	66
PID 2856 wrote to memory of 1704	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	66
PID 2856 wrote to memory of 1704	2856	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	66
PID 1704 wrote to memory of 2664	1704	cmd.exe	68
PID 1704 wrote to memory of 2664	1704	cmd.exe	68
PID 1704 wrote to memory of 2664	1704	cmd.exe	68
PID 1704 wrote to memory of 3040	1704	cmd.exe	69
PID 1704 wrote to memory of 3040	1704	cmd.exe	69
PID 1704 wrote to memory of 3040	1704	cmd.exe	69
PID 3040 wrote to memory of 1208	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	70
PID 3040 wrote to memory of 1208	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	70
PID 3040 wrote to memory of 1208	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	70
PID 3040 wrote to memory of 2528	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	71
PID 3040 wrote to memory of 2528	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	71
PID 3040 wrote to memory of 2528	3040	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	71
PID 1208 wrote to memory of 1892	1208	WScript.exe	72
PID 1208 wrote to memory of 1892	1208	WScript.exe	72
PID 1208 wrote to memory of 1892	1208	WScript.exe	72
PID 1892 wrote to memory of 284	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	73
PID 1892 wrote to memory of 284	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	73
PID 1892 wrote to memory of 284	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	73
PID 1892 wrote to memory of 2140	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	74
PID 1892 wrote to memory of 2140	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	74
PID 1892 wrote to memory of 2140	1892	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	74
PID 284 wrote to memory of 2960	284	WScript.exe	76
PID 284 wrote to memory of 2960	284	WScript.exe	76
PID 284 wrote to memory of 2960	284	WScript.exe	76
PID 2960 wrote to memory of 2976	2960	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe	77

System policy modification 1 TTPs 39 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
"C:\Users\Admin\AppData\Local\Temp\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\scrobj\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\aepdu\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DtcInstall\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\icsunattend\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xStTXOfv6F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
    "C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3040
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fe0bd9-0aaa-4c7f-92e2-d92837fd828a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1892
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f42063a4-242d-4664-84a6-a98b25070bea.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9edd106a-9c4e-4ebc-8bbf-7dbc51afeb69.vbs"
        8⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07cd4660-eadf-47b4-9d3f-708c4dcffec3.vbs"
        10⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\907b0bf2-536d-4969-940e-4acbae995ac3.vbs"
        12⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a85bbc1d-c661-4320-9c7c-9271ba88235b.vbs"
        14⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b9725f5-c186-476d-88c7-b467d8232df2.vbs"
        16⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6db4b9fb-ad3e-47a5-a4ad-0cb25ccc40c0.vbs"
        18⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d50134-0008-4298-a414-cceb1f709792.vbs"
        20⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b9a6a4-984a-4b37-932f-58e0dfa19103.vbs"
        22⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4889376d-7b80-4186-95da-a0221773946b.vbs"
        24⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        
        C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\186e9635-12d1-475b-8d60-96d173b1d541.vbs"
        26⤵
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\226ef381-d00f-4603-8bb4-cb0890dcbd40.vbs"
        26⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5add086-da6f-4b76-bff7-3e451e0b5dba.vbs"
        24⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97b07f8-8407-4fe3-902c-6354467fa366.vbs"
        22⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fc120ac-bca3-4718-b9ff-f2f363eb86f8.vbs"
        20⤵
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb4b09b0-8baa-4380-83ae-f70bd65c6b4c.vbs"
        18⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a75e98-3a04-402c-9cd1-f43c3ab08342.vbs"
        16⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb68355-8d4f-4c25-a9e9-5020e7c3d162.vbs"
        14⤵
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7707d70b-54c6-475d-b0ff-8052888c6d5a.vbs"
        12⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c02a1ca-f5a6-480a-8f3b-86fff37aa477.vbs"
        10⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75722bcb-4ae5-4b23-aed9-51161d8c2666.vbs"
        8⤵
        
        PID:1512
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1dfce6-672a-4170-9255-7898588c0247.vbs"
        6⤵
        
        PID:2140
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3c2814-9958-4e8a-af55-3c02050017ba.vbs"
      4⤵
      PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001\e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\scrobj\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\aepdu\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\icsunattend\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07cd4660-eadf-47b4-9d3f-708c4dcffec3.vbs

Filesize
796B

MD5
51ade43f77f84e60db3fec11fa6da2e8

SHA1
afb872196f260043d281f7933aaab69b340d6ca4

SHA256
df432a6de53e227b66915506a0b971ea30f1878fe6971cf6a6edd5a4cf57b241

SHA512
3f79f440ab07eb1cdf1d1b0742abc746906d055be3b00a5249801cc87bbda9c8ab0f120e4154b2163bb538af7ed2fbcdc4caae2130699a21882cde599e6b1bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\186e9635-12d1-475b-8d60-96d173b1d541.vbs

Filesize
796B

MD5
79345f8d4b71b45de807a6d8c140ea1a

SHA1
90c717301f28fb839c31715506986fa29d256059

SHA256
e4466fdddc3d4ef675190f117648c9243dbb0d918bfffb4ebec55f675abbdeb8

SHA512
14aec3ef30a28450f72702f0026ca5cd3203ec81014e00cf367a741196fff424f90263f945d9ddb5591eb7cd8ebae4ebc6d6630d1834bce96deb4b4d64dc3f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\20b9a6a4-984a-4b37-932f-58e0dfa19103.vbs

Filesize
796B

MD5
aa07d3f3ad1fb8df4cc66b4a1c9d0f63

SHA1
3891dcdaa46550a4485e877cd3848fc2548282e7

SHA256
860271859e21154935de7958fdf5762b74a5617df5373518cf4ce7dab45aac09

SHA512
443bee21631194ef528a95890a53022c8e58dc45ead52aa22f83f2c747ce8f818ca7501cac1e92fbb0d3bcdba0e0ac4296dcdd8d9a331c8fc4ce15af4aaf70f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4889376d-7b80-4186-95da-a0221773946b.vbs

Filesize
796B

MD5
5cdf8099363d0bac37e2182bd2aed501

SHA1
caf4b3fd07b25ac942b1bb2f185492cf85ed9499

SHA256
692d2c045cd3a26e11fc24f8b09d1311d6f90e08a5b87286aca482c668f2c3a1

SHA512
af92c37806882d54c9cfe0dc883ef309e45e51a37dafa8388ea79589c58afb135a1c68f85c182a28f478a6057a9c64742c6499d10cd9c51d3155835cfe155898

Download Submit
C:\Users\Admin\AppData\Local\Temp\6db4b9fb-ad3e-47a5-a4ad-0cb25ccc40c0.vbs

Filesize
796B

MD5
2b66a1b969c6dbe634e784a593f0506a

SHA1
80e69efe078c0c92c30728e6d86fc7e0480ae0b2

SHA256
25bf0a01e7e5898c45ab5b40d47fd980047ad9acadc306200e493909cf61fb21

SHA512
e88784d51590b43fec3d518fbadbfc650d23aa07eca1d5d2dbc03d8cba93adecbaeed2afd1b2fe053da1231b36e7d692d5b35e6f25e995114f9ae659d7d4959a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a3c2814-9958-4e8a-af55-3c02050017ba.vbs

Filesize
572B

MD5
a0eef1937b8a61b535fa0f0d5dd6ff39

SHA1
f8595396fea863dcaca2fbc08940a7ab7d6e8690

SHA256
30b17f64e84f593098d887f6217166940bbbefcd84d3fbe293dc92d97003c16a

SHA512
d73f36523888dd31d90ed1ec55d43d45373edbf3b046bccf86e9e2da94c2d9c7f8cd03dccd2b0164890db1173d2151258ee098008844a786e55a92506683e973

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b9725f5-c186-476d-88c7-b467d8232df2.vbs

Filesize
795B

MD5
5c11c84e4f3006216ef8a473d9f19bc0

SHA1
e3a82dfa5c84e4d74ad69d50b98ff4c743d2eeef

SHA256
a79b53b39c793511753e0cfd5858de767bb7b450e3dccb333b75ff8962a97406

SHA512
40cc0e53ad508de6ccccfe681c663d9f3ea58bb651931ea2feb3d8478ab3e0e11d50ca796482e5bd2c7b11c67e49fd066491f10c7fa963b9b5df5a7e1b9469f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\907b0bf2-536d-4969-940e-4acbae995ac3.vbs

Filesize
796B

MD5
c40b08559e21a73841e7525b52ee3d53

SHA1
f2619d61b453a24e5a6561fed09edc810b5c587e

SHA256
66803cda9e3558f284df3946ad78a6af47f4387405fac1c7178be2172b492654

SHA512
a607b45f12e5de4739723cb13cfd5b8761b4b92076a20c433477d6174100250e4e652e195447e8f3a24848fe8b7f185bd4ee93d285dfa2186eb7cc53a01bf50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9edd106a-9c4e-4ebc-8bbf-7dbc51afeb69.vbs

Filesize
796B

MD5
dea223d3056fbfdca6306ae1137dd23f

SHA1
19626f728481573fe7d828809fb36e5d0979447a

SHA256
b57ef51944c665ef95c99a63f1da81a777c82c4285aefc872d61f03ae3db127d

SHA512
44c1de3d0566b76e4a5ae0dbc473a6f9bdfa20f42dc1f85dd45135ef85cd38f780b5de98fe73e78fb9b7e38e735c428480431d3e3bb8486c589d052bd4d37b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\a85bbc1d-c661-4320-9c7c-9271ba88235b.vbs

Filesize
796B

MD5
d298d401680ae20ddf5b6d27c00a0c82

SHA1
4617c253c1d19bc6b455069d725a4250fccdc563

SHA256
19fea42769de50a58de1fc7858a808dea10ef62727cad4d4b02d01535eafbe3a

SHA512
d9fad77a4127f653593dac1053592e19da14a297491fd3109d4b877ec7c183ba960bd9b5526c5d1e47a39b01f8e029422953e2d9e1b7379b08420365c8cfc514

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9d50134-0008-4298-a414-cceb1f709792.vbs

Filesize
795B

MD5
ccce3780c2a49ae727a631a1d3a85eb4

SHA1
5fa77b4bd43462db23004e22463a7039b95584b9

SHA256
958c3b2f7158e56648e3b03f1eec5167e8207ea2e0156c5dd730c00b81f9c79f

SHA512
7db0a33fbbfc23b05f752356b500574012eeb9da5cb59f47657df2cfa9b8d5d4477d1d1ddd0ae17038ca789e0149c3db7024fe3ece9a24e700cb0ca81bd2073b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4fe0bd9-0aaa-4c7f-92e2-d92837fd828a.vbs

Filesize
796B

MD5
198014718e55523e43af4475ed694f93

SHA1
1d92a87cf23bdcc9e688e584843485fb8634140d

SHA256
110ec3f0ca754440f17cb064eec7028f0eef9a11de02b5f807436b006c7aed49

SHA512
40f245a83c9146528aa7fd7fb3d5631b988c9064fa500c36a58407e239cc1cdd80dd1bf8dc1b57094d46a5b7b9475947644a54296394e55a1861624191e8c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\f42063a4-242d-4664-84a6-a98b25070bea.vbs

Filesize
796B

MD5
62bc14d048171e1b6a34e86ee61cc1d4

SHA1
07cdc2dfb1a04f20bc619b696780568165fd9b69

SHA256
dfbc62fc42b4c8d02d9c21378413a7f86f604bf12c3f53fb8b8708dcb3feeb0a

SHA512
8fee8ba146a969b100660344df4892ed32397d86dd56a676ccc152687fb1298a952098b1b1338db1bc46f57db552f83f78067efc237875bc4ad734adda0ec3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\xStTXOfv6F.bat

Filesize
284B

MD5
a65780a2e0ca1c12468e96f8520bcc08

SHA1
0ca4e4bad1f2b915a2cd36e97877f6af3a7ae907

SHA256
f09d84d5376fda4e9e6c14fb2b3d9c311b91188cbc0bcfd7d1e22bc948426d7b

SHA512
e1db1213de1a230e2ceda66d38e8e483b27fcd82e56ff3dc5ff6b931caf10cff07f459aeced79bbd6a4b22c39bda5976e920c274a2aaddc2483f912a8c0520fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
75fe68a416afa76286cf9e93bf025884

SHA1
4f076dc84fdea8ea1f9e6f494fc11c477d9c91e0

SHA256
87abec5a69617ac65f0f0026238c853e6f2b1e5ea59ecc06188aa60e5da8446b

SHA512
916f2a1c2b4e05bbd4e3a0907a8e9ba4888f2d940ef090cdfdd3213683e0d1dd4e96e139cda750cc0a26971090436cd41c9c80374ad1f32f103b970f9a9626b7

Download Submit
C:\Windows\DtcInstall\explorer.exe

Filesize
1.5MB

MD5
19d9a08825aa6caf9eb842eff80964cc

SHA1
e2d3e68847540e9911b5794d7f405e7e2306c4f7

SHA256
e1f91dd1eda7bceaffca238ec26a4226dc7ab8b37260d5dea2e5700f7a038970

SHA512
46cd84d8412d19baf1cd484fb9fd8de8ef32b67be5a9573a84d17df60e3ab5bde34cdefead852bd3840ca29610b252d940bbc5387022a90c6e7bbe5bdc2bb370

Download Submit
memory/640-262-0x0000000001120000-0x000000000129E000-memory.dmp

Filesize
1.5MB

Download
memory/1424-133-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1424-274-0x0000000001300000-0x000000000147E000-memory.dmp

Filesize
1.5MB

Download
memory/1424-134-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1892-203-0x0000000000350000-0x00000000004CE000-memory.dmp

Filesize
1.5MB

Download
memory/2480-250-0x0000000000390000-0x000000000050E000-memory.dmp

Filesize
1.5MB

Download
memory/2704-238-0x0000000000060000-0x00000000001DE000-memory.dmp

Filesize
1.5MB

Download
memory/2856-11-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2856-17-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2856-127-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-20-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2856-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2856-1-0x0000000000140000-0x00000000002BE000-memory.dmp

Filesize
1.5MB

Download
memory/2856-14-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2856-13-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2856-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2856-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-21-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2856-10-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2856-16-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2856-9-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2856-24-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-8-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2856-7-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2856-6-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2856-18-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2856-5-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2856-4-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2856-3-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2920-308-0x0000000001390000-0x000000000150E000-memory.dmp

Filesize
1.5MB

Download
memory/2920-309-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2960-215-0x0000000001360000-0x00000000014DE000-memory.dmp

Filesize
1.5MB

Download
memory/3040-192-0x00000000012B0000-0x000000000142E000-memory.dmp

Filesize
1.5MB

Download