dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Size

1.6MB
MD5

1ce9d2fa35466d6d37d1d56f63408884
SHA1

a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc
SHA256

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1
SHA512

f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5316	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5440	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3152	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3152	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/2376-1-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral4/files/0x00070000000241c5-26.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
4296	powershell.exe
1784	powershell.exe
5108	powershell.exe
2400	powershell.exe
5380	powershell.exe
4836	powershell.exe
4968	powershell.exe
4292	powershell.exe
60	powershell.exe
2068	powershell.exe
2036	powershell.exe
1004	powershell.exe
2680	powershell.exe
408	powershell.exe
4964	powershell.exe
5716	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 16 IoCs

pid	Process
5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
1344	WmiPrvSE.exe
2956	WmiPrvSE.exe
5808	WmiPrvSE.exe
3616	WmiPrvSE.exe
436	WmiPrvSE.exe
4052	WmiPrvSE.exe
3360	WmiPrvSE.exe
2104	WmiPrvSE.exe
1148	WmiPrvSE.exe
5332	WmiPrvSE.exe
3884	WmiPrvSE.exe
5236	WmiPrvSE.exe
3972	WmiPrvSE.exe
5480	WmiPrvSE.exe
1884	WmiPrvSE.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\dllhost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\6cd8f211ede04b	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files\WindowsPowerShell\dllhost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\csrss.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files\WindowsPowerShell\5940a34987c991	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\27d1bcfc3c54e0	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\22eafd247d37c3	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX6269.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX626A.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	WmiPrvSE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4312	schtasks.exe
3516	schtasks.exe
4820	schtasks.exe
5356	schtasks.exe
3012	schtasks.exe
4700	schtasks.exe
4828	schtasks.exe
5528	schtasks.exe
2624	schtasks.exe
2532	schtasks.exe
4868	schtasks.exe
4596	schtasks.exe
5536	schtasks.exe
3128	schtasks.exe
3228	schtasks.exe
3512	schtasks.exe
2216	schtasks.exe
964	schtasks.exe
3736	schtasks.exe
1064	schtasks.exe
3244	schtasks.exe
2536	schtasks.exe
5232	schtasks.exe
4876	schtasks.exe
6036	schtasks.exe
5008	schtasks.exe
5440	schtasks.exe
4712	schtasks.exe
5736	schtasks.exe
4812	schtasks.exe
4688	schtasks.exe
2680	schtasks.exe
4212	schtasks.exe
4780	schtasks.exe
5320	schtasks.exe
4680	schtasks.exe
4196	schtasks.exe
2372	schtasks.exe
2476	schtasks.exe
4980	schtasks.exe
4896	schtasks.exe
4964	schtasks.exe
5316	schtasks.exe
6076	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
4836	powershell.exe
4836	powershell.exe
5380	powershell.exe
5380	powershell.exe
5716	powershell.exe
5716	powershell.exe
2036	powershell.exe
2036	powershell.exe
2068	powershell.exe
2068	powershell.exe
1004	powershell.exe
1004	powershell.exe
5716	powershell.exe
1004	powershell.exe
2036	powershell.exe
2068	powershell.exe
4836	powershell.exe
5380	powershell.exe
5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
4964	powershell.exe
4964	powershell.exe
1784	powershell.exe
1784	powershell.exe
5052	powershell.exe
5052	powershell.exe
4968	powershell.exe
4968	powershell.exe
2680	powershell.exe
2680	powershell.exe
60	powershell.exe
60	powershell.exe
4296	powershell.exe
4296	powershell.exe
2400	powershell.exe
2400	powershell.exe
5108	powershell.exe
5108	powershell.exe
4292	powershell.exe
4292	powershell.exe
1784	powershell.exe
408	powershell.exe
408	powershell.exe
4964	powershell.exe
4968	powershell.exe
5052	powershell.exe
60	powershell.exe
2680	powershell.exe
5108	powershell.exe
2400	powershell.exe
4292	powershell.exe
408	powershell.exe
4296	powershell.exe
1344	WmiPrvSE.exe
2956	WmiPrvSE.exe
5808	WmiPrvSE.exe
5808	WmiPrvSE.exe
3616	WmiPrvSE.exe
436	WmiPrvSE.exe
4052	WmiPrvSE.exe
3360	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1344	WmiPrvSE.exe
Token: SeDebugPrivilege	2956	WmiPrvSE.exe
Token: SeDebugPrivilege	5808	WmiPrvSE.exe
Token: SeDebugPrivilege	3616	WmiPrvSE.exe
Token: SeDebugPrivilege	436	WmiPrvSE.exe
Token: SeDebugPrivilege	4052	WmiPrvSE.exe
Token: SeDebugPrivilege	3360	WmiPrvSE.exe
Token: SeDebugPrivilege	2104	WmiPrvSE.exe
Token: SeDebugPrivilege	1148	WmiPrvSE.exe
Token: SeDebugPrivilege	5332	WmiPrvSE.exe
Token: SeDebugPrivilege	3884	WmiPrvSE.exe
Token: SeDebugPrivilege	5236	WmiPrvSE.exe
Token: SeDebugPrivilege	3972	WmiPrvSE.exe
Token: SeDebugPrivilege	5480	WmiPrvSE.exe
Token: SeDebugPrivilege	1884	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 5716	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	106
PID 2376 wrote to memory of 5716	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	106
PID 2376 wrote to memory of 2068	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	107
PID 2376 wrote to memory of 2068	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	107
PID 2376 wrote to memory of 5380	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	108
PID 2376 wrote to memory of 5380	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	108
PID 2376 wrote to memory of 2036	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	109
PID 2376 wrote to memory of 2036	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	109
PID 2376 wrote to memory of 4836	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	110
PID 2376 wrote to memory of 4836	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	110
PID 2376 wrote to memory of 1004	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	111
PID 2376 wrote to memory of 1004	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	111
PID 2376 wrote to memory of 5904	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	118
PID 2376 wrote to memory of 5904	2376	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	118
PID 5904 wrote to memory of 2680	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	151
PID 5904 wrote to memory of 2680	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	151
PID 5904 wrote to memory of 4968	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	152
PID 5904 wrote to memory of 4968	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	152
PID 5904 wrote to memory of 4964	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	153
PID 5904 wrote to memory of 4964	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	153
PID 5904 wrote to memory of 1784	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	154
PID 5904 wrote to memory of 1784	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	154
PID 5904 wrote to memory of 408	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	156
PID 5904 wrote to memory of 408	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	156
PID 5904 wrote to memory of 60	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	157
PID 5904 wrote to memory of 60	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	157
PID 5904 wrote to memory of 2400	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	159
PID 5904 wrote to memory of 2400	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	159
PID 5904 wrote to memory of 5108	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	160
PID 5904 wrote to memory of 5108	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	160
PID 5904 wrote to memory of 4296	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	162
PID 5904 wrote to memory of 4296	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	162
PID 5904 wrote to memory of 4292	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	163
PID 5904 wrote to memory of 4292	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	163
PID 5904 wrote to memory of 5052	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	164
PID 5904 wrote to memory of 5052	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	164
PID 5904 wrote to memory of 6080	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	173
PID 5904 wrote to memory of 6080	5904	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	173
PID 6080 wrote to memory of 5948	6080	cmd.exe	175
PID 6080 wrote to memory of 5948	6080	cmd.exe	175
PID 6080 wrote to memory of 1344	6080	cmd.exe	177
PID 6080 wrote to memory of 1344	6080	cmd.exe	177
PID 1344 wrote to memory of 3196	1344	WmiPrvSE.exe	178
PID 1344 wrote to memory of 3196	1344	WmiPrvSE.exe	178
PID 1344 wrote to memory of 5020	1344	WmiPrvSE.exe	179
PID 1344 wrote to memory of 5020	1344	WmiPrvSE.exe	179
PID 3196 wrote to memory of 2956	3196	WScript.exe	180
PID 3196 wrote to memory of 2956	3196	WScript.exe	180
PID 2956 wrote to memory of 3396	2956	WmiPrvSE.exe	181
PID 2956 wrote to memory of 3396	2956	WmiPrvSE.exe	181
PID 2956 wrote to memory of 952	2956	WmiPrvSE.exe	182
PID 2956 wrote to memory of 952	2956	WmiPrvSE.exe	182
PID 3396 wrote to memory of 5808	3396	WScript.exe	188
PID 3396 wrote to memory of 5808	3396	WScript.exe	188
PID 5808 wrote to memory of 1688	5808	WmiPrvSE.exe	189
PID 5808 wrote to memory of 1688	5808	WmiPrvSE.exe	189
PID 5808 wrote to memory of 1488	5808	WmiPrvSE.exe	190
PID 5808 wrote to memory of 1488	5808	WmiPrvSE.exe	190
PID 1688 wrote to memory of 3616	1688	WScript.exe	194
PID 1688 wrote to memory of 3616	1688	WScript.exe	194
PID 3616 wrote to memory of 5716	3616	WmiPrvSE.exe	195
PID 3616 wrote to memory of 5716	3616	WmiPrvSE.exe	195
PID 3616 wrote to memory of 4796	3616	WmiPrvSE.exe	196
PID 3616 wrote to memory of 4796	3616	WmiPrvSE.exe	196

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
"C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\87efddaf44110a3d80760c508da79ad7\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
  "C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:60
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\87efddaf44110a3d80760c508da79ad7\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YhsvDPADKl.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6080
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5948
  - - C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
      "C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8e0531a-9959-43bb-8a50-48ee553ea349.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7710f4-d457-485a-84bb-3baf2412e89b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03732bbf-0bea-4058-a4a6-ab0c5bd689cd.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42d515c8-bf9d-4c08-9bc9-19fbc4892952.vbs"
        11⤵
        
        PID:5716
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a511e169-0688-4a65-ae0b-399925831597.vbs"
        13⤵
        
        PID:5156
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3068705-9a25-4f55-972d-b8f951e449db.vbs"
        15⤵
        
        PID:3852
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7423e217-8d3a-4c8c-b0c7-7f455b3660be.vbs"
        17⤵
        
        PID:3612
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a584e3a4-502c-457d-be10-6472da15baba.vbs"
        19⤵
        
        PID:5584
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3a0a9fa-dea0-40b9-ab34-23ccc2d901e6.vbs"
        21⤵
        
        PID:4660
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd337da3-30e6-4572-9a02-ee37cefa9041.vbs"
        23⤵
        
        PID:3200
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c26f6f9-3d90-47f4-acd3-a42b29e8bd68.vbs"
        25⤵
        
        PID:372
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f336560-d28f-4f56-b47f-483b4ccce2fd.vbs"
        27⤵
        
        PID:2076
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91d9e3ea-0049-40ee-9e99-7186dbdf3d4d.vbs"
        29⤵
        
        PID:5880
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d44a52-b9a8-4b1d-82c4-1a0848332855.vbs"
        31⤵
        
        PID:2220
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        
        C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8851adf7-76e9-458c-8235-8ccf6e6f1a2f.vbs"
        33⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35205c99-1ebe-4382-a883-8b209fe37650.vbs"
        33⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5e73bde-dc52-40e4-8be8-5667420b2a7b.vbs"
        31⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29a7861-8f31-410b-8003-260c08987fdf.vbs"
        29⤵
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b444c0fd-97fb-4b1d-964e-6ad65d212875.vbs"
        27⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777981a7-8412-488d-bf38-10cb7bf7259d.vbs"
        25⤵
        
        PID:5536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7df25dbb-250e-4e31-9910-a12ef6d46c26.vbs"
        23⤵
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e492fa08-e12d-42e2-b01e-bce240022c6b.vbs"
        21⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fee506-712e-4185-8bcc-69e0e92b9a74.vbs"
        19⤵
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35702ae7-0ad8-4b64-a981-d99390e248c7.vbs"
        17⤵
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14efb002-69d2-478e-bd89-dc7365915ade.vbs"
        15⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe9527e-5635-420c-9798-77fb8dace02f.vbs"
        13⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eae546d-0bf1-47ac-950e-4ca867e240dd.vbs"
        11⤵
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99095ebd-299d-44c1-a524-ee188c63e9a1.vbs"
        9⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\441f39a7-1cf5-44d6-8493-bbb6aeb22bee.vbs"
        7⤵
        
        PID:952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38270b31-f996-4d0d-8a45-5b64fc9aab9c.vbs"
        5⤵
        
        PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a10" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a10" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a10" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a10" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\87efddaf44110a3d80760c508da79ad7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\87efddaf44110a3d80760c508da79ad7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69971f6dd2b6d993cb917ecf60e31f9c

SHA1
6e1c2dca54d36bfd8f7fa4d0fd8679eb9fdc47c3

SHA256
50ae1cde2c86a60b0e3b158b7723f9b0d5e1147b98ae3103785aeef74763944f

SHA512
c9e8ff746eb5eda444fe81229aea6bc8faf41887917f9cd1069a556694a1632361649d67c3c56aefc6882e80965d1637d2a3c106cb75cedf61f406f7d2010526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ff4a967012d041f24f777799e626cce4

SHA1
cd1d31edfe04a9b39f8b2732376ba466c8a66346

SHA256
2bb6758e5d9612b5d554149ea754704ae992db5f1848a060f50e08ffbfc85d4e

SHA512
45a214acf08c71fbc4946a624d1ff4d95f08c508bd157990447addd9556c75dbba2dfd41c42cd22c14f0dd92b2685775bb04b8c561d34d793564e07edc922421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d1deade86a558baa0001eab3f74b16b

SHA1
3fa436638817cf90a5ddc691d6958b32c6e1f037

SHA256
a6f2f05965718bc072ca71644afcbed776fdbd3db33e6c460a501177fa5e21e6

SHA512
1d2eac199777a1fa0f4a39c28df940536883bd60c2d96c5902b9da7a55fe709ed81c6a8d82524ccbf3460feef9bfe1f9b240de11ec994c9f4c5c26a0dbc5e6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01841b4277227c0578c89131444e7d57

SHA1
b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d

SHA256
34797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa

SHA512
15c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f545274ba19d9199a78f74cd05e8187

SHA1
4036cf78d3f310af42963c8f16ae27c5922b5dff

SHA256
3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

SHA512
b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\03732bbf-0bea-4058-a4a6-ab0c5bd689cd.vbs

Filesize
716B

MD5
11eeb72bd7754d002b71831a11a5da15

SHA1
3d220863ef19438abb50dd3c091a788308109820

SHA256
0fdb0831e4a1679996b1ee6e40665659e66040c2ea0c28dfc58a15f9eeb558b6

SHA512
48b4193fa1f07ae6a82c11c7b3408aed4654051745a5305c449b255193d341dd3c8ff1c5844f5b5c882a156633b3c888020e53d48cee69043a83ffe8b2941dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\38270b31-f996-4d0d-8a45-5b64fc9aab9c.vbs

Filesize
492B

MD5
d92ac0aeefa7d183ce765801451b8087

SHA1
9d6736477b522ceaa55318dd8b75952ea12a3c60

SHA256
897f09587db427e6ef0ede5aa6993ac65a471c36199f8709dc1fe3b90a94d5ac

SHA512
0b32ea98feb045338d941dd7f3d935b73a7c7efbff1ceb5f1b8bdf046e1fc08c984ccd374463dfa39496a39c11a0aa4f2971524fdcf726c25cf863602fd37847

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b7710f4-d457-485a-84bb-3baf2412e89b.vbs

Filesize
716B

MD5
750c3f485a6de134fb5e14fd21d0c994

SHA1
ad6735469773324795692633898a89856bca4273

SHA256
bab3dad2842da28fcec7b2c0dce9088476f7bed0470d2f53d15ec9827898462d

SHA512
37f3d45d3a91a71867ca960962e5c5909be4b7afead059b204671079778e3bf5de3eb4124735598cb818bf8ca54a590697a317d16c1c76f7fd6c0208f2d303d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c26f6f9-3d90-47f4-acd3-a42b29e8bd68.vbs

Filesize
716B

MD5
74ed5f872e01feacee6e06dd50a1f6fa

SHA1
4d86a7bdee1bdc3239407d65a187c2fd73bdcf82

SHA256
f20c2d43a9ec3d4fe244c72d78019f94c0d7a6a8458ae915a5eecadb24107c03

SHA512
a3504dc10da57b70a8926c62d081c1504b8544657e32daa936431500988355c75da6860438679a0605c617ef5a41ee1b2aaf906c3f47d42fe95ee5322614a2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\42d515c8-bf9d-4c08-9bc9-19fbc4892952.vbs

Filesize
716B

MD5
32b8f27f354944eb877b1cbaa6e47431

SHA1
66eea418ea1dd13c02429750548fd2781ce8f18a

SHA256
ed3a466eb218e71217395135a135bd9ab7dcba293fa7932e5ce4cfb8fcd681b6

SHA512
484d481b99dee08b22b679b2e1be1496d9d9e6cf12e16834992eb3534e6ef68723a12770af871aa89d721381134e69a27d1a7392263544c4ad073fd9427da791

Download Submit
C:\Users\Admin\AppData\Local\Temp\7423e217-8d3a-4c8c-b0c7-7f455b3660be.vbs

Filesize
716B

MD5
0bca92e6b0c6c5d86f16628407b46579

SHA1
fc38978153a81f67c73ecf8207550a277b760fcd

SHA256
fd967bc01e38478d024a9a9e2d588833df3bcc30c0c1ba8e68158c64576a21d6

SHA512
b72ed70e783cff38985bc96aa1a82dedc3ff5873244844f99bee0cf9df1782a96774f986d02cb5c5e71214fbfe6269a0bc5c2d7bf5986c478a9c4ca30802d02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YhsvDPADKl.bat

Filesize
205B

MD5
f047867c8de6077fa32f726c7417b697

SHA1
092f598e996d02e0938f2dce3258b30627627b58

SHA256
96ef854c71d2e3a4244bbf37f206b6d8b4c4cb91e638941120a42283dc84f951

SHA512
f4aec9123a5e7b6f6e55fb169d8e3ea11f8deb4a5a7fddb1cfe345b34825855277f634897b7462132f1dee8dfd85d21492213cb8133fa101e00dea8b4098bb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cu2p5wu.yrs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a511e169-0688-4a65-ae0b-399925831597.vbs

Filesize
715B

MD5
77d0991c0c6b763bb811029f6cc9059d

SHA1
e95588e1924aea83885ff5f67bb7edfb6ba84631

SHA256
6e51a594963b35bcfd88f5f7ea4ee22bcda854c2e313a0154751026ef8c34ab3

SHA512
8e1ca85dd0bcbfc025194e942bf4230fc41d2a375e1af7679f12a89ac93324c8d5942abe38a8b0010df009e46ab52731db1c692cdb45c513835844894296bdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a584e3a4-502c-457d-be10-6472da15baba.vbs

Filesize
716B

MD5
bd9c37fe48de2c6752e459da3328f1fb

SHA1
5a04c6cae9e2ac831a4aa393777cc501e6662519

SHA256
63f2c893dc82eb0b8c5d6e002837f5bbd16c8e6269e298ae695522d3056bdee5

SHA512
4585900b1c2a0db64c5f19a5af7f7cc8ed60904c04af6e38dce6f83f49371ac78ff03e15a5fb1242919ba406d54f26c2baea66649edf069087521b06aab6b268

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd337da3-30e6-4572-9a02-ee37cefa9041.vbs

Filesize
716B

MD5
6821b55577eb27530de2c9de78900d9d

SHA1
f9c9cef9517a22c7c932bf525de3cb6412b01992

SHA256
d6f08fc1dc062ad9ee2e2646b2c486cba326a1df8d83260777dc2fa7c70272f9

SHA512
0b0302a51536ef817fd47e564a01ab07d4dcd5f597e6ad29a52bc90f72aa267c24232c08dade18579ba0343d04442020944fe1263bff0494f2356fe4d8c7e02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3068705-9a25-4f55-972d-b8f951e449db.vbs

Filesize
716B

MD5
d52d7e2235a8beac6602ee0b62374e80

SHA1
e128532d752a1e2649ba32b01e85d6cbd4eaf4ab

SHA256
0654029c1e1755d57d723e5b5a6e16ed900c423d8c68f016c351999524cd1814

SHA512
409333ef0c8c3e64b9f31a2daa47643e3e7f6e80ecf763238e1b69e3b3a1fea715ebb75861ffd28cc22a21677ab9489563139012dda7a9732b4814d9afaff5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8e0531a-9959-43bb-8a50-48ee553ea349.vbs

Filesize
716B

MD5
ef6e65d8b27e34241808ccdcf990d6db

SHA1
a8ee3dc3e241c6998ff7284505280f48e24bdf4c

SHA256
de8fedf3dff2867765ce702dd9e5ad6aaa79c0972eae4002e645122fa50b9965

SHA512
74a0af2a440fff65b57e16a9a990f2624e808fcefa604536b40b3e79a05bf0bbf47b9e5156dd87c8730f93f424376d61698dd8beebb28aa87d9f008af59a1748

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3a0a9fa-dea0-40b9-ab34-23ccc2d901e6.vbs

Filesize
716B

MD5
662c58302c21263c635feaa5370ad0ec

SHA1
61ad9b2488d8b3094f9cc254b105de6541aea252

SHA256
5ff1e5300a4540de63c58e7b23d7d045631d2c1f481bc96b6bd05902750ab6c0

SHA512
14403f62f5587bb5c30e1f860a6611161849bacb7c0995a4f11fff53126fd4caf6f6d22d07d37c41c0dfb5ea5fbfe8dbe37bdc87fced1b33363f9f0cae69a12c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\winlogon.exe

Filesize
1.6MB

MD5
1ce9d2fa35466d6d37d1d56f63408884

SHA1
a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc

SHA256
0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1

SHA512
f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2

Download Submit
memory/2376-6-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2376-2-0x00007FFDC1D90000-0x00007FFDC2851000-memory.dmp

Filesize
10.8MB

Download
memory/2376-8-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/2376-14-0x000000001B920000-0x000000001B928000-memory.dmp

Filesize
32KB

Download
memory/2376-4-0x000000001B0F0000-0x000000001B140000-memory.dmp

Filesize
320KB

Download
memory/2376-5-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/2376-3-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/2376-9-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/2376-0-0x00007FFDC1D93000-0x00007FFDC1D95000-memory.dmp

Filesize
8KB

Download
memory/2376-7-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2376-10-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/2376-1-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download
memory/2376-11-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/2376-12-0x000000001B900000-0x000000001B90A000-memory.dmp

Filesize
40KB

Download
memory/2376-13-0x000000001B910000-0x000000001B91E000-memory.dmp

Filesize
56KB

Download
memory/2376-15-0x000000001B930000-0x000000001B938000-memory.dmp

Filesize
32KB

Download
memory/2376-150-0x00007FFDC1D90000-0x00007FFDC2851000-memory.dmp

Filesize
10.8MB

Download
memory/2376-16-0x000000001B940000-0x000000001B94A000-memory.dmp

Filesize
40KB

Download
memory/2376-17-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/4836-95-0x000001B6AD850000-0x000001B6AD872000-memory.dmp

Filesize
136KB

Download