dcrat | 4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06abb382ad59957f5f38c5c099a3b51f.exe
Size

1.1MB
MD5

06abb382ad59957f5f38c5c099a3b51f
SHA1

28509e4bd32e4fd4bc4d64b8e41ee7bbae1c0087
SHA256

bd7c02ba50734e9ca3988a4f138e3cb72956fdb24583fd7281ecbe9974bf06fd
SHA512

4934fe7ddbb62d1c027fd5999c785733721287ea3d352b44d81386304e16a652086b7b7e30668d630796b2d0347c1276eb5d7a1694252e08b11299a95c8d5da2
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\System32\\win32k\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\System32\\win32k\\services.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\System32\\win32k\\services.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Program Files\\Uninstall Information\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\System32\\win32k\\services.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Program Files\\Uninstall Information\\services.exe\", \"C:\\Windows\\System32\\ntdsapi\\taskhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\csrss.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2892	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2892	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2932	powershell.exe
2856	powershell.exe
2848	powershell.exe
2832	powershell.exe
3040	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	06abb382ad59957f5f38c5c099a3b51f.exe

Executes dropped EXE 11 IoCs

pid	Process
2508	explorer.exe
916	explorer.exe
2792	explorer.exe
1524	explorer.exe
2020	explorer.exe
2120	explorer.exe
876	explorer.exe
2204	explorer.exe
1824	explorer.exe
2020	explorer.exe
1800	explorer.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Uninstall Information\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\ntdsapi\\taskhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\ntdsapi\\taskhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\win32k\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\win32k\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Uninstall Information\\services.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\ntdsapi\b75386f1303e64	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\win32k\RCXDFC6.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\win32k\services.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\ntdsapi\RCXE5D2.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\ntdsapi\taskhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\win32k\services.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\win32k\c5b4cb5e9653cc	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\ntdsapi\taskhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXE3CE.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Program Files\Uninstall Information\services.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	06abb382ad59957f5f38c5c099a3b51f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2788	schtasks.exe
2820	schtasks.exe
2876	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
2532	06abb382ad59957f5f38c5c099a3b51f.exe
3032	powershell.exe
2856	powershell.exe
2932	powershell.exe
3040	powershell.exe
2848	powershell.exe
2832	powershell.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
2508	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	06abb382ad59957f5f38c5c099a3b51f.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2508	explorer.exe
Token: SeDebugPrivilege	916	explorer.exe
Token: SeDebugPrivilege	2792	explorer.exe
Token: SeDebugPrivilege	1524	explorer.exe
Token: SeDebugPrivilege	2020	explorer.exe
Token: SeDebugPrivilege	2120	explorer.exe
Token: SeDebugPrivilege	876	explorer.exe
Token: SeDebugPrivilege	2204	explorer.exe
Token: SeDebugPrivilege	1824	explorer.exe
Token: SeDebugPrivilege	2020	explorer.exe
Token: SeDebugPrivilege	1800	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3032	2532	06abb382ad59957f5f38c5c099a3b51f.exe	37
PID 2532 wrote to memory of 3032	2532	06abb382ad59957f5f38c5c099a3b51f.exe	37
PID 2532 wrote to memory of 3032	2532	06abb382ad59957f5f38c5c099a3b51f.exe	37
PID 2532 wrote to memory of 3040	2532	06abb382ad59957f5f38c5c099a3b51f.exe	38
PID 2532 wrote to memory of 3040	2532	06abb382ad59957f5f38c5c099a3b51f.exe	38
PID 2532 wrote to memory of 3040	2532	06abb382ad59957f5f38c5c099a3b51f.exe	38
PID 2532 wrote to memory of 2832	2532	06abb382ad59957f5f38c5c099a3b51f.exe	39
PID 2532 wrote to memory of 2832	2532	06abb382ad59957f5f38c5c099a3b51f.exe	39
PID 2532 wrote to memory of 2832	2532	06abb382ad59957f5f38c5c099a3b51f.exe	39
PID 2532 wrote to memory of 2848	2532	06abb382ad59957f5f38c5c099a3b51f.exe	40
PID 2532 wrote to memory of 2848	2532	06abb382ad59957f5f38c5c099a3b51f.exe	40
PID 2532 wrote to memory of 2848	2532	06abb382ad59957f5f38c5c099a3b51f.exe	40
PID 2532 wrote to memory of 2856	2532	06abb382ad59957f5f38c5c099a3b51f.exe	41
PID 2532 wrote to memory of 2856	2532	06abb382ad59957f5f38c5c099a3b51f.exe	41
PID 2532 wrote to memory of 2856	2532	06abb382ad59957f5f38c5c099a3b51f.exe	41
PID 2532 wrote to memory of 2932	2532	06abb382ad59957f5f38c5c099a3b51f.exe	43
PID 2532 wrote to memory of 2932	2532	06abb382ad59957f5f38c5c099a3b51f.exe	43
PID 2532 wrote to memory of 2932	2532	06abb382ad59957f5f38c5c099a3b51f.exe	43
PID 2532 wrote to memory of 544	2532	06abb382ad59957f5f38c5c099a3b51f.exe	49
PID 2532 wrote to memory of 544	2532	06abb382ad59957f5f38c5c099a3b51f.exe	49
PID 2532 wrote to memory of 544	2532	06abb382ad59957f5f38c5c099a3b51f.exe	49
PID 544 wrote to memory of 2428	544	cmd.exe	51
PID 544 wrote to memory of 2428	544	cmd.exe	51
PID 544 wrote to memory of 2428	544	cmd.exe	51
PID 544 wrote to memory of 2508	544	cmd.exe	52
PID 544 wrote to memory of 2508	544	cmd.exe	52
PID 544 wrote to memory of 2508	544	cmd.exe	52
PID 2508 wrote to memory of 1484	2508	explorer.exe	53
PID 2508 wrote to memory of 1484	2508	explorer.exe	53
PID 2508 wrote to memory of 1484	2508	explorer.exe	53
PID 2508 wrote to memory of 2148	2508	explorer.exe	54
PID 2508 wrote to memory of 2148	2508	explorer.exe	54
PID 2508 wrote to memory of 2148	2508	explorer.exe	54
PID 1484 wrote to memory of 916	1484	WScript.exe	55
PID 1484 wrote to memory of 916	1484	WScript.exe	55
PID 1484 wrote to memory of 916	1484	WScript.exe	55
PID 916 wrote to memory of 2188	916	explorer.exe	56
PID 916 wrote to memory of 2188	916	explorer.exe	56
PID 916 wrote to memory of 2188	916	explorer.exe	56
PID 916 wrote to memory of 2972	916	explorer.exe	57
PID 916 wrote to memory of 2972	916	explorer.exe	57
PID 916 wrote to memory of 2972	916	explorer.exe	57
PID 2188 wrote to memory of 2792	2188	WScript.exe	58
PID 2188 wrote to memory of 2792	2188	WScript.exe	58
PID 2188 wrote to memory of 2792	2188	WScript.exe	58
PID 2792 wrote to memory of 632	2792	explorer.exe	59
PID 2792 wrote to memory of 632	2792	explorer.exe	59
PID 2792 wrote to memory of 632	2792	explorer.exe	59
PID 2792 wrote to memory of 3068	2792	explorer.exe	60
PID 2792 wrote to memory of 3068	2792	explorer.exe	60
PID 2792 wrote to memory of 3068	2792	explorer.exe	60
PID 632 wrote to memory of 1524	632	WScript.exe	61
PID 632 wrote to memory of 1524	632	WScript.exe	61
PID 632 wrote to memory of 1524	632	WScript.exe	61
PID 1524 wrote to memory of 2948	1524	explorer.exe	62
PID 1524 wrote to memory of 2948	1524	explorer.exe	62
PID 1524 wrote to memory of 2948	1524	explorer.exe	62
PID 1524 wrote to memory of 404	1524	explorer.exe	63
PID 1524 wrote to memory of 404	1524	explorer.exe	63
PID 1524 wrote to memory of 404	1524	explorer.exe	63
PID 2948 wrote to memory of 2020	2948	WScript.exe	64
PID 2948 wrote to memory of 2020	2948	WScript.exe	64
PID 2948 wrote to memory of 2020	2948	WScript.exe	64
PID 2020 wrote to memory of 2328	2020	explorer.exe	65

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe
"C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\win32k\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntdsapi\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\670S5NwDa7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2428
- - C:\PerfLogs\Admin\explorer.exe
    "C:\PerfLogs\Admin\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2508
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\273742ff-b46d-440b-b3be-fb60cef0a134.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:916
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1172b7d7-e966-449d-8ce0-11e485ccfc24.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf8f157-280c-415c-8317-8688087a40dd.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb22dcc5-fcd6-4bce-bcfd-17bce047ae49.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d747c6e-cd3b-4db8-ae95-64a459c168a9.vbs"
        12⤵
        
        PID:2328
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc9dcd30-a9a5-4486-9ebe-f8c577d6cc01.vbs"
        14⤵
        
        PID:1648
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5352bcb4-5285-4d8a-9fe1-f0243be824e2.vbs"
        16⤵
        
        PID:1936
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c677b26a-1a4f-4254-8072-b442ab736863.vbs"
        18⤵
        
        PID:3016
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e87991b-c1ed-4a8f-89f4-77e1e4a337be.vbs"
        20⤵
        
        PID:1932
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0480b39f-947a-4586-96d5-13b8b79ab397.vbs"
        22⤵
        
        PID:932
        
        C:\PerfLogs\Admin\explorer.exe
        
        C:\PerfLogs\Admin\explorer.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afdc5667-c739-440c-94dc-cf8f3a5601e2.vbs"
        24⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf3e7659-f98b-48c1-a827-7c2e3831b553.vbs"
        24⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fac4412-27dc-408d-86f0-5b52b76723a0.vbs"
        22⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5b6fe7a-c637-495f-a524-50a2fe1061f2.vbs"
        20⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeb04b49-b70a-4003-bda8-813299f2f02f.vbs"
        18⤵
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e34bb7-60a9-4df8-a154-d7cde56062ab.vbs"
        16⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5e61f7d-eaba-4260-bff9-28ee1d38847c.vbs"
        14⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2fecdca-56df-4b4c-a49d-b095e3de5464.vbs"
        12⤵
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f86146c4-c200-4cc7-86be-e691aaacc799.vbs"
        10⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed501b96-0a9d-4a94-b144-69a39c02e442.vbs"
        8⤵
        
        PID:3068
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d563588a-a3e0-4ac1-9c2c-6557e09171e4.vbs"
        6⤵
        
        PID:2972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f387738a-2f19-4c86-af61-8eed91d904ba.vbs"
      4⤵
      PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\win32k\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\ntdsapi\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1172b7d7-e966-449d-8ce0-11e485ccfc24.vbs

Filesize
705B

MD5
49d07f9ac530d003cc206aeaeb48792f

SHA1
ad6391e500ab74f15616aecc57ab08566e0dfc10

SHA256
155629c13b08339e70d72afb4315bcd87dd4b1c96c2ed32348733d3d57279132

SHA512
cb1838fce2eeeb8f7ceab47392ef9a986b6ff39b771dfd5422dcaab04871503836108e5e7e3843865da5c31e459879109197f6f19864a0f80622992ba8883daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\273742ff-b46d-440b-b3be-fb60cef0a134.vbs

Filesize
706B

MD5
5ca131a5784cc35f505fbcb23326ddd6

SHA1
756f4bf0e6543cb9df1067b585af9f69a873d715

SHA256
727175fbb3c739404991a23687e843fd92eb766b7a300a664f489f91a20bd85e

SHA512
79de82cc7cc5439860dcd420f114864359ee7e84aa5f472e5cdd994d5f2e787479ccde867e8f2e49ec490ecc9e46ee2b957bd2eecc0e6719b2fca8c72922f5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d747c6e-cd3b-4db8-ae95-64a459c168a9.vbs

Filesize
706B

MD5
abde9c18b48e5a626bbf2b3c6e6a307a

SHA1
7ba4548160b11c0404bd793d85fb143dd850e112

SHA256
0cd784f2985badeb229a7c71447dbcd120cb0b0083622d4ce96e81760a46865b

SHA512
e408a10dba79814db2c4763b5494c476646120011c77b16e791bca2fe25524ef5599f799708dfd3080fa9b9571f2c6df5764e678f3374e6a7e409c122d5ea427

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e87991b-c1ed-4a8f-89f4-77e1e4a337be.vbs

Filesize
706B

MD5
fbea51b774cb39e579537da1e92070da

SHA1
aca6fbbdbe662abb9e5b697c370433eb057eaca5

SHA256
5568ce55d2c3a7b8f60ec7401a4a7b7729c07b6cb1c3ec6036f3afd29c610984

SHA512
abdc2ba6e43785c161625e3a58721353b7484905efbfa1d09de73aaad6763a19617371a044ae6343ddd6b156b5bf49d17e86b1b1c5c7263ed8ad8fd5512bad5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5352bcb4-5285-4d8a-9fe1-f0243be824e2.vbs

Filesize
705B

MD5
47d1d0a238a3aa03e5a86b915cf1c83e

SHA1
c82a39919c04e64054eac5f789d622c835b86889

SHA256
6e2d8582c6139180d915fd1d53c63edda0842c1a3edec8a302cf6426c5f91ec0

SHA512
24688a971d9f6df9c18d3cf5cd3d98a4615a568fe504e18b6c430d9ee460141a8a89d160dcb5f4aca3aae08c0ef87cbb2c0920fd7bf3163efed280dc4bbf19ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\670S5NwDa7.bat

Filesize
194B

MD5
e1d3af0cc320a877244a5c0d1ca40464

SHA1
f1aab9631a988fd5c5733ed11cf47a1ef1760502

SHA256
1dc34a823152c2d051e06a42e15abcaf8ea14057c3a1afce882147dc85ff3759

SHA512
6e50f33fdcb8b01ab573e5a637d934ceca146fca776000e1bcc88364e47aaae6bfa1d7072f94a0ce0af91564625481ee14910e435b62515e2c26ec46a57b7dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdc5667-c739-440c-94dc-cf8f3a5601e2.vbs

Filesize
706B

MD5
d308e75e6b6bea33e3a9ef70f35015a4

SHA1
8e6d5b994b193f5050a97fa63d818f05d52b01e1

SHA256
70fcabb16e545c76e0fef3333d219240ba3e92d6fdc658a6b2004f7a33669f10

SHA512
26f99d1818f0361da40f89f932da4a7920322c9d49ec845df1f859f7359aac8df72eb1104a732d5f7db6194a9485c21ee865aa3ff1ab56e68dbd5d76c3e1503b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb22dcc5-fcd6-4bce-bcfd-17bce047ae49.vbs

Filesize
706B

MD5
c1a7cc41a2f40d5c9f7c7175c8306244

SHA1
b6fd615c6d20ae6c5d82c0121dd60560d589f963

SHA256
3c9f9682bb01ebcce03da43329cf94099fb435ae2209cb268f1c295f3bf9b180

SHA512
804ec3f51b88596cc804a0539fe9b1d6d7530140b22ad81b0f1b26b693205c5a7895f05064b95ebdf84950d696a6dccee02cfbf342805f09ef2c3a743ba8480d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c677b26a-1a4f-4254-8072-b442ab736863.vbs

Filesize
706B

MD5
d0df51565bd429903e63d7133d1bfead

SHA1
24eb134302594eb99826fcd3610a05129e8e3a92

SHA256
721c39f2bf1fd2bb6afe5b57f14b8e9a03cfc3957551bf86b8abd275084d5473

SHA512
00b72a7a9b63e369d6046373b07c80dde36d0285041c85d57bcbf888001ee22db5b173d366a3157ebc6479d572a9a2ba7efec3cc495bbdc1f5a751a6726d0e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbf8f157-280c-415c-8317-8688087a40dd.vbs

Filesize
706B

MD5
857fa7108fcd32187d1844e8d9bad531

SHA1
a900bb3815fb4bfb6ff040c8c21af28e171e89e0

SHA256
5a9c37e6d18fc8ba29d5e4fd1545ae761e30230ebc79b1cea08369f1f2319e9f

SHA512
ae089dbb044dbb690fb90ae2592a41f34017e2fab3539a88c479eb42a46dff68d601b861e4d3fd80ec50054d867f430a0142df6b0d17860a504b0cc5f72b2868

Download Submit
C:\Users\Admin\AppData\Local\Temp\f387738a-2f19-4c86-af61-8eed91d904ba.vbs

Filesize
482B

MD5
e96acce1f24ddb647bf6650ca31ed8f8

SHA1
e5d3b15bb025f63c8318520e4f637e978a42d5ee

SHA256
438c35c9aef5131210e2e96f2e21168b82df4e512933ac075399f9d527980e36

SHA512
1a23f3530c9233878af9dd584bab8cc8af34c15d80c163fdf5d2fa7863df3627041934ae0525ae6a1df790bbc060049f574e80f7a2dba2603bbf5cc789aa722c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc9dcd30-a9a5-4486-9ebe-f8c577d6cc01.vbs

Filesize
706B

MD5
ee544ad4d4577c90a06b94e80b5613ff

SHA1
27b1c6f87955664cc419ea1706b01752e68895d2

SHA256
eee6f00cca6544ffe5e17a8ea926417307d98ab1ea26fa1e684858ce53096243

SHA512
dc662be4bfc0991c8e92edaeda64b79070b781bc1d880a8a47512557c5eba30e47e4819e55630956faeea67f688348869cd72e3bfd5f0dc679ae30d06b18fe56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c9fb59d3c803c25c1a28d49e4fb3cc98

SHA1
6d5c2880ad10dc4f3bc83407f58022160d849561

SHA256
3a2e8a18c29895fde0a2960d06bff416fb236cdcf41608ed44e04bca168985a7

SHA512
b59afe1b20e8026728a0ae9070c00dbc0d9776161d21dadaaef8561c8f0dfd6701d164f0f8a8c063efa1e68c7effeff55d2541fb0c46df22a056a1ec6315ef6e

Download Submit
C:\Windows\System32\ntdsapi\taskhost.exe

Filesize
1.1MB

MD5
06abb382ad59957f5f38c5c099a3b51f

SHA1
28509e4bd32e4fd4bc4d64b8e41ee7bbae1c0087

SHA256
bd7c02ba50734e9ca3988a4f138e3cb72956fdb24583fd7281ecbe9974bf06fd

SHA512
4934fe7ddbb62d1c027fd5999c785733721287ea3d352b44d81386304e16a652086b7b7e30668d630796b2d0347c1276eb5d7a1694252e08b11299a95c8d5da2

Download Submit
memory/876-177-0x0000000000350000-0x0000000000464000-memory.dmp

Filesize
1.1MB

Download
memory/916-120-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/916-119-0x0000000000280000-0x0000000000394000-memory.dmp

Filesize
1.1MB

Download
memory/1800-225-0x00000000011F0000-0x0000000001304000-memory.dmp

Filesize
1.1MB

Download
memory/1800-226-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1824-201-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2020-213-0x0000000001100000-0x0000000001214000-memory.dmp

Filesize
1.1MB

Download
memory/2204-189-0x0000000000850000-0x0000000000964000-memory.dmp

Filesize
1.1MB

Download
memory/2508-108-0x0000000001160000-0x0000000001274000-memory.dmp

Filesize
1.1MB

Download
memory/2532-20-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/2532-14-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2532-49-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-3-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2532-91-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-1-0x0000000000220000-0x0000000000334000-memory.dmp

Filesize
1.1MB

Download
memory/2532-4-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2532-6-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2532-8-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2532-10-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2532-11-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/2532-12-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/2532-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-5-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2532-15-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2532-18-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2532-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

Filesize
4KB

Download
memory/2532-24-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-21-0x0000000002020000-0x0000000002028000-memory.dmp

Filesize
32KB

Download
memory/2532-17-0x0000000001FF0000-0x0000000001FFC000-memory.dmp

Filesize
48KB

Download
memory/2532-16-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2532-13-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/2532-9-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2532-7-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2792-132-0x0000000000BF0000-0x0000000000D04000-memory.dmp

Filesize
1.1MB

Download
memory/3032-92-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/3032-89-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download