dcrat | 6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

Resubmissions

12-01-2023 20:01

230112-yrh6hsae52 10

07-01-2023 04:41

230107-fa3jqagb8t 10

07-01-2023 04:21

230107-eynj2acf87 10

Analysis

max time kernel
60s
max time network
62s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
07-01-2023 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Size

3.8MB
MD5

0a0a64f3c4fa7d960be983aa0a7d0ce8
SHA1

b597c7397ecaff7c5c1aa27f5124fc7b8a94e643
SHA256

6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1
SHA512

ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4
SSDEEP

98304:F7b3a0t2TiPhx6Sp+ybfnDA4qo34n1oO:FH3Z8cp+gDZ4n1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4060	schtasks.exe
3952	schtasks.exe
364	schtasks.exe
4120	schtasks.exe
4496	schtasks.exe
688	schtasks.exe
2036	schtasks.exe
4900	schtasks.exe
2632	schtasks.exe
4780	schtasks.exe
4844	schtasks.exe
5076	schtasks.exe
3960	schtasks.exe
4664	schtasks.exe
1176	schtasks.exe
3096	schtasks.exe
3880	schtasks.exe
3584	schtasks.exe
4112	schtasks.exe
1236	schtasks.exe
360	schtasks.exe
4804	schtasks.exe
3964	schtasks.exe
2144	schtasks.exe
1568	schtasks.exe
4080	schtasks.exe
4060	schtasks.exe
5068	schtasks.exe
4088	schtasks.exe
3340	schtasks.exe
4200	schtasks.exe
4976	schtasks.exe
4788	schtasks.exe
4860	schtasks.exe
1528	schtasks.exe
1004	schtasks.exe
4872	schtasks.exe
3608	schtasks.exe
4280	schtasks.exe
1944	schtasks.exe
4904	schtasks.exe
4776	schtasks.exe
1120	schtasks.exe
3488	schtasks.exe
3016	schtasks.exe
1164	schtasks.exe
5108	schtasks.exe
192	schtasks.exe
2884	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
3240	schtasks.exe
4272	schtasks.exe
4656	schtasks.exe
2188	schtasks.exe
1008	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Program Files\\Java\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Program Files\\Java\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\dwm.exe\", \"C:\\Windows\\AppPatch\\it-IT\\Idle.exe\", \"C:\\odt\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Program Files\\Java\\ShellExperienceHost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\", \"C:\\Program Files\\Java\\ShellExperienceHost.exe\", \"C:\\Users\\All Users\\dwm.exe\", \"C:\\Windows\\AppPatch\\it-IT\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\SearchUI.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\smss.exe\", \"C:\\odt\\SearchUI.exe\", \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	368	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2772-116-0x0000000000930000-0x0000000000CFA000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	dcrat
C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe	dcrat
C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exefontdrvhost.exe

pid process

3832 0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
4872 fontdrvhost.exe

pid	process
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
4872	fontdrvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\conhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\odt\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\odt\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Multimedia Platform\\RuntimeBroker.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Program Files\\Java\\ShellExperienceHost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\AppPatch\\it-IT\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Recovery\\WindowsRE\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Program Files\\Java\\ShellExperienceHost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\OfficeClickToRun.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Recovery\\WindowsRE\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\odt\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\odt\\SearchUI.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\fontdrvhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\dllhost.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\AppPatch\\it-IT\\Idle.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 33 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\e6c9b481da804f	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX919D.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\088424020bedd6	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX7FBF.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\5b884080fd4f94	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\27d1bcfc3c54e0	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Java\ShellExperienceHost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX8241.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\conhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Java\f8c8f1285d826b	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\5940a34987c991	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\sppsvc.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX921B.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\System.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\conhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\5b884080fd4f94	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\System.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Java\ShellExperienceHost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCX7C13.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX7F31.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCX7CA0.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX82CE.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Drops file in Windows directory 4 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
File created	C:\Windows\OCR\en-us\dllhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Windows\AppPatch\it-IT\Idle.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Windows\AppPatch\it-IT\6ccacd8608530f	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Windows\AppPatch\it-IT\Idle.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5076	schtasks.exe
1236	schtasks.exe
688	schtasks.exe
4088	schtasks.exe
3880	schtasks.exe
4664	schtasks.exe
2884	schtasks.exe
4776	schtasks.exe
4120	schtasks.exe
1176	schtasks.exe
4900	schtasks.exe
5108	schtasks.exe
4804	schtasks.exe
1008	schtasks.exe
192	schtasks.exe
1944	schtasks.exe
3488	schtasks.exe
360	schtasks.exe
4860	schtasks.exe
3964	schtasks.exe
2188	schtasks.exe
4904	schtasks.exe
4780	schtasks.exe
2144	schtasks.exe
4080	schtasks.exe
4060	schtasks.exe
2632	schtasks.exe
1120	schtasks.exe
3340	schtasks.exe
5068	schtasks.exe
1164	schtasks.exe
4976	schtasks.exe
4200	schtasks.exe
3584	schtasks.exe
4060	schtasks.exe
364	schtasks.exe
4272	schtasks.exe
3608	schtasks.exe
4844	schtasks.exe
4656	schtasks.exe
1528	schtasks.exe
3096	schtasks.exe
2036	schtasks.exe
3240	schtasks.exe
4496	schtasks.exe
4788	schtasks.exe
4872	schtasks.exe
4280	schtasks.exe
3960	schtasks.exe
3952	schtasks.exe
1004	schtasks.exe
3016	schtasks.exe
1568	schtasks.exe
4112	schtasks.exe

Modifies registry class 3 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

pid	process
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
2556	powershell.exe
2248	powershell.exe
3916	powershell.exe
708	powershell.exe
3176	powershell.exe
4292	powershell.exe
4624	powershell.exe
4636	powershell.exe
4636	powershell.exe
5036	powershell.exe
5036	powershell.exe
4916	powershell.exe
4916	powershell.exe
4552	powershell.exe
4552	powershell.exe
1896	powershell.exe
1896	powershell.exe
4552	powershell.exe
4916	powershell.exe
1896	powershell.exe
2556	powershell.exe
2556	powershell.exe
3176	powershell.exe
3176	powershell.exe
3916	powershell.exe
3916	powershell.exe
4636	powershell.exe
2248	powershell.exe
2248	powershell.exe
4624	powershell.exe
4624	powershell.exe
5036	powershell.exe
4292	powershell.exe
4292	powershell.exe
4552	powershell.exe
708	powershell.exe
708	powershell.exe
1896	powershell.exe
4916	powershell.exe
3176	powershell.exe
2556	powershell.exe
4636	powershell.exe
3916	powershell.exe
2248	powershell.exe
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
4624	powershell.exe
4292	powershell.exe
708	powershell.exe
5036	powershell.exe
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Token: SeIncreaseQuotaPrivilege	1896	powershell.exe
Token: SeSecurityPrivilege	1896	powershell.exe
Token: SeTakeOwnershipPrivilege	1896	powershell.exe
Token: SeLoadDriverPrivilege	1896	powershell.exe
Token: SeSystemProfilePrivilege	1896	powershell.exe
Token: SeSystemtimePrivilege	1896	powershell.exe
Token: SeProfSingleProcessPrivilege	1896	powershell.exe
Token: SeIncBasePriorityPrivilege	1896	powershell.exe
Token: SeCreatePagefilePrivilege	1896	powershell.exe
Token: SeBackupPrivilege	1896	powershell.exe
Token: SeRestorePrivilege	1896	powershell.exe
Token: SeShutdownPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeSystemEnvironmentPrivilege	1896	powershell.exe
Token: SeRemoteShutdownPrivilege	1896	powershell.exe
Token: SeUndockPrivilege	1896	powershell.exe
Token: SeManageVolumePrivilege	1896	powershell.exe
Token: 33	1896	powershell.exe
Token: 34	1896	powershell.exe
Token: 35	1896	powershell.exe
Token: 36	1896	powershell.exe
Token: SeIncreaseQuotaPrivilege	4916	powershell.exe
Token: SeSecurityPrivilege	4916	powershell.exe
Token: SeTakeOwnershipPrivilege	4916	powershell.exe
Token: SeLoadDriverPrivilege	4916	powershell.exe
Token: SeSystemProfilePrivilege	4916	powershell.exe
Token: SeSystemtimePrivilege	4916	powershell.exe
Token: SeProfSingleProcessPrivilege	4916	powershell.exe
Token: SeIncBasePriorityPrivilege	4916	powershell.exe
Token: SeCreatePagefilePrivilege	4916	powershell.exe
Token: SeBackupPrivilege	4916	powershell.exe
Token: SeRestorePrivilege	4916	powershell.exe
Token: SeShutdownPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeSystemEnvironmentPrivilege	4916	powershell.exe
Token: SeRemoteShutdownPrivilege	4916	powershell.exe
Token: SeUndockPrivilege	4916	powershell.exe
Token: SeManageVolumePrivilege	4916	powershell.exe
Token: 33	4916	powershell.exe
Token: 34	4916	powershell.exe
Token: 35	4916	powershell.exe
Token: 36	4916	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exefontdrvhost.exe

description	pid	process	target process
PID 2772 wrote to memory of 2556	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 2556	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 2248	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 2248	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 3916	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 3916	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 708	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 708	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 3176	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 3176	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4292	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4292	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4624	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4624	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4636	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4636	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 5036	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 5036	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4916	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4916	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 1896	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 1896	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4552	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 4552	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2772 wrote to memory of 3832	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
PID 2772 wrote to memory of 3832	2772	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
PID 3832 wrote to memory of 4888	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4888	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 3556	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 3556	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4428	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4428	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 1660	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 1660	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4088	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4088	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4076	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4076	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 1884	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 1884	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 3240	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 3240	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 3832 wrote to memory of 4872	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	fontdrvhost.exe
PID 3832 wrote to memory of 4872	3832	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	fontdrvhost.exe
PID 4872 wrote to memory of 4796	4872	fontdrvhost.exe	WScript.exe
PID 4872 wrote to memory of 4796	4872	fontdrvhost.exe	WScript.exe
PID 4872 wrote to memory of 2088	4872	fontdrvhost.exe	WScript.exe
PID 4872 wrote to memory of 2088	4872	fontdrvhost.exe	WScript.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

fontdrvhost.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
"C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
"C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
3⤵
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe'
3⤵
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'
3⤵
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
3⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\ShellExperienceHost.exe'
3⤵
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'
3⤵
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\it-IT\Idle.exe'
3⤵
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
3⤵
PID:3240

C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe
"C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31dd1b96-9409-4c68-bb10-d7fb4b05d1e5.vbs"
4⤵
PID:4796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec7a383-de10-42ab-92bb-6a32ae078251.vbs"
4⤵
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\ShellExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Java\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe

Filesize
3.8MB

MD5
0a0a64f3c4fa7d960be983aa0a7d0ce8

SHA1
b597c7397ecaff7c5c1aa27f5124fc7b8a94e643

SHA256
6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

SHA512
ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4

Download Submit
C:\Program Files\Windows Defender Advanced Threat Protection\fontdrvhost.exe

Filesize
3.8MB

MD5
0a0a64f3c4fa7d960be983aa0a7d0ce8

SHA1
b597c7397ecaff7c5c1aa27f5124fc7b8a94e643

SHA256
6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

SHA512
ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe.log

Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6b44ed70c3279aaecbcdde770789ad4

SHA1
4b13ee25c1dc3cba06cce215da101d2a1dd5dec1

SHA256
bfd1b8e59e279daa17edaa2e2726a021cc522ca16fd8c36ed7422f67930d9a36

SHA512
6b1756b393326c46bcfd701fbc851cc890cffca5f03ba614ae08dc584c73545e8ebf1387b6a2ca2a0c17668c592481b7a33cb7f1fea4a22abcd54901a12e72da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57534bafcd473ca1eeb9ec3461d12f89

SHA1
f50525e3c1cbda1467d5b517b8c41c18853ffdfd

SHA256
693cbaa4b8ccff3b2051aec2be3fea701118742eb7147d1b8cebdc444e517279

SHA512
70a942cbe77b5896ba2c7eade4e5cb635de1cde7eff5130911da96626899b2503fa5f3d5da75b773eb8c8c4c17a8afb62de0969918e71a865ec53434d4ced06f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1ac3fd7cbef03dd38a889057ff260b1

SHA1
13ae22f1d34a767c8165937936950bea7aff37e2

SHA256
59be7c36f9920eca0a8f7760dbbef791cea61f98c2234b01e6e656a040bbe1c6

SHA512
eb0717cbb68d522349b482ba167512ca67d72a2c2fbe2147c42690468b9e21ff609e01c644b445b0de0ecbff8465acc691159d4e9080cc53f2511b0a6a2b9052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1ac3fd7cbef03dd38a889057ff260b1

SHA1
13ae22f1d34a767c8165937936950bea7aff37e2

SHA256
59be7c36f9920eca0a8f7760dbbef791cea61f98c2234b01e6e656a040bbe1c6

SHA512
eb0717cbb68d522349b482ba167512ca67d72a2c2fbe2147c42690468b9e21ff609e01c644b445b0de0ecbff8465acc691159d4e9080cc53f2511b0a6a2b9052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
466cd9f996d94424aba7006192abe6da

SHA1
2202fd536886c88e4a2613371dafa47feaed9cee

SHA256
4ebbbce82c5c1cee2fe63d9c1e117e237a4751844817d41deab7ca94a6b73355

SHA512
e64c46c724fffc6ef2508550aade4be0b082b00f3e45a6d0f915715ef1fd5c3a7ca95ef4547e50e6a529ed6904e4073dd11f9f0a03d35aa05af799e79b86ec5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eceeb71377508d51182ee7195e0d5833

SHA1
59c127b1f0b090e236c268ff57fd1911c956a5d5

SHA256
990065c45ac45750afb8ee7f930c7745bb152f02153cce58c01aa911e5cf2c16

SHA512
bf2ff034bf6b3bc152972d1aff681182ac4ca7ab3d1deeb6fc2d0dd3a034494d206c68c4a21f4fcec3517c64840dc956c746b440b9f72f62da9784b5cd582b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eceeb71377508d51182ee7195e0d5833

SHA1
59c127b1f0b090e236c268ff57fd1911c956a5d5

SHA256
990065c45ac45750afb8ee7f930c7745bb152f02153cce58c01aa911e5cf2c16

SHA512
bf2ff034bf6b3bc152972d1aff681182ac4ca7ab3d1deeb6fc2d0dd3a034494d206c68c4a21f4fcec3517c64840dc956c746b440b9f72f62da9784b5cd582b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eceeb71377508d51182ee7195e0d5833

SHA1
59c127b1f0b090e236c268ff57fd1911c956a5d5

SHA256
990065c45ac45750afb8ee7f930c7745bb152f02153cce58c01aa911e5cf2c16

SHA512
bf2ff034bf6b3bc152972d1aff681182ac4ca7ab3d1deeb6fc2d0dd3a034494d206c68c4a21f4fcec3517c64840dc956c746b440b9f72f62da9784b5cd582b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eceeb71377508d51182ee7195e0d5833

SHA1
59c127b1f0b090e236c268ff57fd1911c956a5d5

SHA256
990065c45ac45750afb8ee7f930c7745bb152f02153cce58c01aa911e5cf2c16

SHA512
bf2ff034bf6b3bc152972d1aff681182ac4ca7ab3d1deeb6fc2d0dd3a034494d206c68c4a21f4fcec3517c64840dc956c746b440b9f72f62da9784b5cd582b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eceeb71377508d51182ee7195e0d5833

SHA1
59c127b1f0b090e236c268ff57fd1911c956a5d5

SHA256
990065c45ac45750afb8ee7f930c7745bb152f02153cce58c01aa911e5cf2c16

SHA512
bf2ff034bf6b3bc152972d1aff681182ac4ca7ab3d1deeb6fc2d0dd3a034494d206c68c4a21f4fcec3517c64840dc956c746b440b9f72f62da9784b5cd582b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8db7f4effc1201d09ae4d7d1dd05f209

SHA1
0fe184d3fb4766ac86ec6f59f6ae61db9443d51b

SHA256
3f2652bbd6e88ff06dccb01eb79ab94d0346e452046bcc55c29de2f15cacfa14

SHA512
b01154ccb91373832fa873f8faeecba49095d424d819667f6605ddae18bd48f5f69c184cf86c59d084f89cc50fadb170a5a114fd5eb1bc5a38a2dd086bb158fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8db7f4effc1201d09ae4d7d1dd05f209

SHA1
0fe184d3fb4766ac86ec6f59f6ae61db9443d51b

SHA256
3f2652bbd6e88ff06dccb01eb79ab94d0346e452046bcc55c29de2f15cacfa14

SHA512
b01154ccb91373832fa873f8faeecba49095d424d819667f6605ddae18bd48f5f69c184cf86c59d084f89cc50fadb170a5a114fd5eb1bc5a38a2dd086bb158fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e6159e3de8cae3068949fd94fbefab5

SHA1
60200a5846892a4482338ab541095dd1a8839270

SHA256
da84314273ba385aaa7d45ed23117b67d923af02ee947dbea0c7f82b4e5c7d09

SHA512
6c299217f7bc22b85c02e874d9b94a25e47b7944cdac9bdafa287f93599f616fbb5878c2e2fb9e2609c679076f31f7ae808b0bca2d06b99c2026eaa6eb619c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3be93bdbc958798cc58c679efb404b72

SHA1
ed24fe09423667d5274b4dddd29779a83c7d7bcb

SHA256
3f6464b62c8e35ec7ae1a3d8968546ecb8f49e2ba5be92490de4fe8ab4c579f4

SHA512
b976faf5db78ee119ef67083671f0105e0f5611573a8a243e1023dd38f11fe04e33bba694ff1898fc4ed615d8cace0bf446f9d5c46cb4d9ab642faa089f94212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5a8896a6ed8ef05f42b7ff55831ce6c

SHA1
0d33b5622ff40ec73eea2395f05f5b66f82e2fc1

SHA256
74dc54eb6b46755cdbedf86987f894e88e8302e47d6640f73d91f484878be0bb

SHA512
8fc0ed5fe9aaf779cb2888541d5cdff7864f9b7bdc2017ab13749f2c917064007c284636d12e941228040b2816292045e140ba977c3eab7506a3235288ad47dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5a8896a6ed8ef05f42b7ff55831ce6c

SHA1
0d33b5622ff40ec73eea2395f05f5b66f82e2fc1

SHA256
74dc54eb6b46755cdbedf86987f894e88e8302e47d6640f73d91f484878be0bb

SHA512
8fc0ed5fe9aaf779cb2888541d5cdff7864f9b7bdc2017ab13749f2c917064007c284636d12e941228040b2816292045e140ba977c3eab7506a3235288ad47dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15913e7211a672306284bd202e4fe858

SHA1
6789f1ba89336dba4d865b1b63b8909b6fa71912

SHA256
deda642fb0eea26bd13493bfd0ca9b773e0c341a693b92246539f3e7104b2d7e

SHA512
41778e50015891de5a5af8ca32b95eaab5dc920bb4277b250ae3afb3752d2520c27f1c4c3e3d5c2c9b99cf726dc8da1183e465fada29e5fbee01481179099e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15913e7211a672306284bd202e4fe858

SHA1
6789f1ba89336dba4d865b1b63b8909b6fa71912

SHA256
deda642fb0eea26bd13493bfd0ca9b773e0c341a693b92246539f3e7104b2d7e

SHA512
41778e50015891de5a5af8ca32b95eaab5dc920bb4277b250ae3afb3752d2520c27f1c4c3e3d5c2c9b99cf726dc8da1183e465fada29e5fbee01481179099e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2adb9e398818722842db0a07cf678b5

SHA1
293286040f46cfcec161aac4f0c63cd3b824d5d8

SHA256
3a11322cd866b4f6e399b59fdb964dfa07b3dc6ea9b3be9c6d82651b99cac8a6

SHA512
f44c3897d4042b9ec75dddd7d5657da30a54dd3725982a0443a3f223d4fad38fb8a7d5b0ac595e8f1cb63a0fb3728a2056773dba786d1c4d0743fa9bdb8be54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Filesize
3.8MB

MD5
0a0a64f3c4fa7d960be983aa0a7d0ce8

SHA1
b597c7397ecaff7c5c1aa27f5124fc7b8a94e643

SHA256
6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

SHA512
ef04e3eb8f2b10dae6845b97fa66086c3d02c5508adcd1923a93975c88f1ad0f80f984b563c36c4868276670b1dee9e11ae3c57faf7b0509118d121d920df7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\31dd1b96-9409-4c68-bb10-d7fb4b05d1e5.vbs

Filesize
752B

MD5
bd8ce8d34a1e4e8cc229ac3de365bb15

SHA1
1e7d6702a476e54a3bd1fb297ea7ebf3b2104048

SHA256
8adcf4a792e11181c198220239ce86fb56e5d1c6455da492bb2eba1acca61de8

SHA512
15be4bc221a998d87db089773a4e606e71c59cf76aa4b0bc82bcf1b460f6b762f9dd73e20a8ca44d4a951db3c1b369932c6d5b12d557c00639f411a512d9a634

Download Submit
C:\Users\Admin\AppData\Local\Temp\e049f5be7f56852d18b36b1316bf13f0812d82444.5.3225.12-26.1270cc8d3ef51614fede5606e4e0ff645b10b785a5

Filesize
584B

MD5
77bbebc0660bda7464af87e63833097f

SHA1
1be55589a6a62df9fd253bb7c39be2f7b185e09a

SHA256
8889c7ec5e2ed6bac26ea2d6bf9669e34680ad993d7e119d80c23f8a67004065

SHA512
33acec233053dca89534feaca721f3e5b072c000a4aa0273f99c4e8c47781f719e4314c0d3a75528d25856f80a8107d0e88a23ed4e11b13198d38d0e073f4093

Download Submit
C:\Users\Admin\AppData\Local\Temp\eec7a383-de10-42ab-92bb-6a32ae078251.vbs

Filesize
528B

MD5
c77e2a9e22c05f1130dcd8565372c3d0

SHA1
69f7378b8e613e3e0663b2df86e0d78fac694bd9

SHA256
22ea901c3453083c8a9ca96f1763b77410cacf26cfa9aa0d7c2d2d97463910bf

SHA512
de1d56dd7fb3e634c96ff1a7eb066f3b80105ecefca3b0189e6d014058c168b4c0851ebeb260d9611d52d078d776445e401046e272a63902b05edd347778bafe

Download Submit
memory/708-143-0x0000000000000000-mapping.dmp

Download
memory/1660-585-0x0000000000000000-mapping.dmp

Download
memory/1884-588-0x0000000000000000-mapping.dmp

Download
memory/1896-152-0x0000000000000000-mapping.dmp

Download
memory/2088-868-0x0000000000000000-mapping.dmp

Download
memory/2248-141-0x0000000000000000-mapping.dmp

Download
memory/2556-140-0x0000000000000000-mapping.dmp

Download
memory/2556-200-0x00000293EF2F0000-0x00000293EF312000-memory.dmp

Filesize
136KB

Download
memory/2772-136-0x000000001C030000-0x000000001C038000-memory.dmp

Filesize
32KB

Download
memory/2772-137-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/2772-129-0x0000000002D10000-0x0000000002D18000-memory.dmp

Filesize
32KB

Download
memory/2772-117-0x0000000002D50000-0x0000000002D6C000-memory.dmp

Filesize
112KB

Download
memory/2772-118-0x000000001B8F0000-0x000000001B940000-memory.dmp

Filesize
320KB

Download
memory/2772-130-0x000000001BFC0000-0x000000001C016000-memory.dmp

Filesize
344KB

Download
memory/2772-131-0x0000000002D20000-0x0000000002D28000-memory.dmp

Filesize
32KB

Download
memory/2772-119-0x0000000001550000-0x0000000001558000-memory.dmp

Filesize
32KB

Download
memory/2772-120-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/2772-121-0x0000000002D90000-0x0000000002DA6000-memory.dmp

Filesize
88KB

Download
memory/2772-122-0x0000000002DB0000-0x0000000002DBA000-memory.dmp

Filesize
40KB

Download
memory/2772-127-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/2772-123-0x000000001B8A0000-0x000000001B8F6000-memory.dmp

Filesize
344KB

Download
memory/2772-139-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/2772-138-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/2772-128-0x000000001BFB0000-0x000000001BFBC000-memory.dmp

Filesize
48KB

Download
memory/2772-116-0x0000000000930000-0x0000000000CFA000-memory.dmp

Filesize
3.8MB

Download
memory/2772-135-0x000000001C020000-0x000000001C02E000-memory.dmp

Filesize
56KB

Download
memory/2772-134-0x000000001C010000-0x000000001C018000-memory.dmp

Filesize
32KB

Download
memory/2772-133-0x0000000002D40000-0x0000000002D4E000-memory.dmp

Filesize
56KB

Download
memory/2772-124-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/2772-132-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/2772-125-0x000000001B950000-0x000000001B962000-memory.dmp

Filesize
72KB

Download
memory/2772-126-0x000000001C4E0000-0x000000001CA06000-memory.dmp

Filesize
5.1MB

Download
memory/3176-144-0x0000000000000000-mapping.dmp

Download
memory/3240-589-0x0000000000000000-mapping.dmp

Download
memory/3556-583-0x0000000000000000-mapping.dmp

Download
memory/3832-261-0x0000000001960000-0x0000000001972000-memory.dmp

Filesize
72KB

Download
memory/3832-254-0x00000000017F0000-0x0000000001846000-memory.dmp

Filesize
344KB

Download
memory/3832-201-0x0000000000000000-mapping.dmp

Download
memory/3916-142-0x0000000000000000-mapping.dmp

Download
memory/4076-587-0x0000000000000000-mapping.dmp

Download
memory/4088-586-0x0000000000000000-mapping.dmp

Download
memory/4292-145-0x0000000000000000-mapping.dmp

Download
memory/4428-584-0x0000000000000000-mapping.dmp

Download
memory/4552-155-0x0000000000000000-mapping.dmp

Download
memory/4552-218-0x000001E97F780000-0x000001E97F7F6000-memory.dmp

Filesize
472KB

Download
memory/4624-146-0x0000000000000000-mapping.dmp

Download
memory/4636-147-0x0000000000000000-mapping.dmp

Download
memory/4796-867-0x0000000000000000-mapping.dmp

Download
memory/4872-619-0x0000000000000000-mapping.dmp

Download
memory/4872-637-0x000000001B8F0000-0x000000001B902000-memory.dmp

Filesize
72KB

Download
memory/4872-871-0x000000001EDD0000-0x000000001EF92000-memory.dmp

Filesize
1.8MB

Download
memory/4888-582-0x0000000000000000-mapping.dmp

Download
memory/4916-150-0x0000000000000000-mapping.dmp

Download
memory/5036-148-0x0000000000000000-mapping.dmp

Download