discordrat | dc303bf4fc27ed283589c456d5a5b40e9a0bc97ad9e3fcf9c603998491743248

Analysis

max time kernel
383s
max time network
423s
platform
windows10-1703_x64
resource
win10-20240404-de
resource tags

arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows
submitted
17-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer/spoofer.exe
Size

78KB
MD5

a588fc073017f17b9538be0d7950fe8b
SHA1

db71c1ad51e13f38c5342fa2c84fa45221176839
SHA256

5b25158dadc5ac21c99c100eb9c49f86898dc19959e045f131414ee1e52fe2f1
SHA512

08bdf70710d8e5330f824f971a5585e0b2b3a6516c0a59f5c00fe175b681ecbf25a354c64e1bcb9cb1d5fd0c6401e765355c416e0b860e8da0a4ff72e32ca1f5
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

Score

10^/10

discordrat evasion execution persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MDcyOTAxNzg4ODUzODY1NA.Grdfmd.TkiEwQyP2bUA1RIGNTE-wkWpyVRP_iGf-NHIsI
server_id
1240883770677264404

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2052 created 2136	2052	WerFault.exe	86
PID 4500 created 4520	4500	svchost.exe	81

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2280 created 560	2280	spoofer.exe	5
PID 4500 created 2136	4500	svchost.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3676	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1356	NetSh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 32 IoCs

Web Service

T1102

flow	ioc
48	discord.com
49	discord.com
82	discord.com
11	discord.com
64	discord.com
65	discord.com
14	discord.com
68	discord.com
81	discord.com
76	discord.com
83	discord.com
3	discord.com
60	discord.com
69	discord.com
75	discord.com
59	raw.githubusercontent.com
61	discord.com
8	discord.com
19	discord.com
21	discord.com
25	discord.com
28	discord.com
47	discord.com
4	discord.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	discord.com
12	discord.com
18	discord.com
26	discord.com
74	discord.com

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 2172	2280	spoofer.exe	74

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4129138312\2337188909.pri	RuntimeBroker.exe
File created	C:\Windows\rescache\_merged\3060194815\1209253612.pri	RuntimeBroker.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	RuntimeBroker.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3060194815\1209253612.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c6a04851_0	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\c6a04851_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\spoofer\\spoofer.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715944783"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 17 May 2024 11:19:44 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={68B30AEA-E7BA-4E60-8A91-D01B9BF16C6E}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\hgcpl.dll,-1#immutable1 = "Heimnetzgruppe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Indizierungsoptionen"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Farbverwaltung"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\fhcpl.dll,-52#immutable1 = "Dateiversionsverlauf"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "RemoteApp- und Desktopverbindungen"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\intl.cpl,-3#immutable1 = "Region"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\main.cpl,-102#immutable1 = "Tastatur"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\mmsys.cpl,-300#immutable1 = "Sound"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Anmeldeinformationsverwaltung"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Standardprogramme"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Spracherkennung"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Internetoptionen"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\accessibilitycpl.dll,-10#immutable1 = "Center für erleichterte Bedienung"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Telefon und Modem"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "System"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Geräteverschlüsselung"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\SensorsCpl.dll,-1#immutable1 = "Standorteinstellungen"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Wiederherstellung"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Windows-Firewall"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\ImmutableMuiCache\Strings\67BDC06\@%SystemRoot%\System32\SyncCenter.dll,-3000#immutable1 = "Synchronisierungscenter"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2280	spoofer.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe
2172	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	spoofer.exe
Token: SeDebugPrivilege	2280	spoofer.exe
Token: SeDebugPrivilege	2172	dllhost.exe
Token: SeDebugPrivilege	2280	spoofer.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeTakeOwnershipPrivilege	4004	RuntimeBroker.exe
Token: SeRestorePrivilege	4004	RuntimeBroker.exe
Token: SeManageVolumePrivilege	1272	DllHost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeAuditPrivilege	2428	svchost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	4004	RuntimeBroker.exe
Token: SeCreatePagefilePrivilege	4004	RuntimeBroker.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeDebugPrivilege	3240	WerFault.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeDebugPrivilege	2052	WerFault.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
3384	Explorer.EXE
972	dwm.exe
972	dwm.exe
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
972	dwm.exe
972	dwm.exe
972	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE
3384	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2280	spoofer.exe
2280	spoofer.exe
4520	SystemSettings.exe
624	SecHealthUI.exe
2136	SecHealthUI.exe

Suspicious use of UnmapMainImage 41 IoCs

pid	Process
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
1132	ApplicationFrameHost.exe
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2280 wrote to memory of 2172	2280	spoofer.exe	74
PID 2172 wrote to memory of 560	2172	dllhost.exe	5
PID 2172 wrote to memory of 640	2172	dllhost.exe	7
PID 2172 wrote to memory of 724	2172	dllhost.exe	8
PID 2172 wrote to memory of 904	2172	dllhost.exe	13
PID 2172 wrote to memory of 972	2172	dllhost.exe	14
PID 2172 wrote to memory of 1020	2172	dllhost.exe	15
PID 2172 wrote to memory of 628	2172	dllhost.exe	16
PID 2172 wrote to memory of 1036	2172	dllhost.exe	18
PID 2172 wrote to memory of 1072	2172	dllhost.exe	19
PID 2172 wrote to memory of 1084	2172	dllhost.exe	20
PID 2172 wrote to memory of 1196	2172	dllhost.exe	21
PID 2172 wrote to memory of 1204	2172	dllhost.exe	22
PID 2172 wrote to memory of 1292	2172	dllhost.exe	23
PID 2172 wrote to memory of 1304	2172	dllhost.exe	24
PID 2172 wrote to memory of 1332	2172	dllhost.exe	25
PID 2172 wrote to memory of 1416	2172	dllhost.exe	26
PID 2172 wrote to memory of 1448	2172	dllhost.exe	27
PID 2172 wrote to memory of 1516	2172	dllhost.exe	28
PID 2172 wrote to memory of 1564	2172	dllhost.exe	29
PID 2172 wrote to memory of 1576	2172	dllhost.exe	30
PID 2172 wrote to memory of 1616	2172	dllhost.exe	31
PID 2172 wrote to memory of 1748	2172	dllhost.exe	32
PID 2172 wrote to memory of 1756	2172	dllhost.exe	33
PID 2172 wrote to memory of 1772	2172	dllhost.exe	34
PID 2172 wrote to memory of 1784	2172	dllhost.exe	35
PID 2172 wrote to memory of 1920	2172	dllhost.exe	36
PID 2172 wrote to memory of 2000	2172	dllhost.exe	37
PID 2172 wrote to memory of 1860	2172	dllhost.exe	38
PID 2172 wrote to memory of 2156	2172	dllhost.exe	39
PID 2172 wrote to memory of 2364	2172	dllhost.exe	40
PID 2172 wrote to memory of 2372	2172	dllhost.exe	41
PID 2172 wrote to memory of 2388	2172	dllhost.exe	42
PID 2172 wrote to memory of 2428	2172	dllhost.exe	43
PID 2172 wrote to memory of 2516	2172	dllhost.exe	44
PID 2172 wrote to memory of 2556	2172	dllhost.exe	45
PID 2172 wrote to memory of 2572	2172	dllhost.exe	46
PID 2172 wrote to memory of 2644	2172	dllhost.exe	47
PID 2172 wrote to memory of 2692	2172	dllhost.exe	48
PID 2172 wrote to memory of 2720	2172	dllhost.exe	49
PID 2172 wrote to memory of 2796	2172	dllhost.exe	50
PID 2172 wrote to memory of 2960	2172	dllhost.exe	51
PID 2172 wrote to memory of 3064	2172	dllhost.exe	52
PID 2172 wrote to memory of 3076	2172	dllhost.exe	53
PID 2172 wrote to memory of 3384	2172	dllhost.exe	54
PID 2172 wrote to memory of 4004	2172	dllhost.exe	57
PID 2172 wrote to memory of 4200	2172	dllhost.exe	58
PID 2172 wrote to memory of 1856	2172	dllhost.exe	60
PID 2172 wrote to memory of 4836	2172	dllhost.exe	61
PID 2172 wrote to memory of 3996	2172	dllhost.exe	63
PID 2172 wrote to memory of 4952	2172	dllhost.exe	64
PID 2172 wrote to memory of 2772	2172	dllhost.exe	65
PID 2172 wrote to memory of 1172	2172	dllhost.exe	66
PID 2172 wrote to memory of 3420	2172	dllhost.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:560
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:972
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f51d469f-1640-4bbc-b757-8d38cb77068f}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0 /state0:0xa3afa055 /state1:0x41c64e6d
  2⤵
  PID:5072

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1072
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1416
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
- Modifies Internet Explorer settings
PID:1616
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x414
  2⤵
  PID:3696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1920

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2000

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
- Modifies data under HKEY_USERS
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2796

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3384
- C:\Users\Admin\AppData\Local\Temp\spoofer\spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\spoofer\spoofer.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1356
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2136
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C whoami
    3⤵
    PID:4112
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      PID:2984
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    3⤵
    PID:520
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /s /t 0
    3⤵
    PID:1832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2836
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  PID:2640

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:4836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4952

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:1172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3420

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:1132

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4504

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:624
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 624 -s 1684
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7E55A26D-EF95-4A45-9F55-21E52ADF9887}
1⤵
PID:1276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4500
- C:\Windows\system32\werfault.exe
  werfault.exe /h /shared Global\25b42cbf06d848e7a4225b3be68c1ef0 /t 3044 /p 4520
  2⤵
  PID:4392

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2136
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2136 -s 1680
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F17.tmp.csv

Filesize
32KB

MD5
cb363e362c294cfab877152fd1adaaed

SHA1
48c52561f145fadcfe149d49e3d8cf87463f280d

SHA256
baa73dee9df97bd4439c75b027110d1d2ff95c2d5ce2efdb0a5dcdade3ed8a65

SHA512
0c04149a61dfb0e7d2d705cacfe9673153f3476e8e647830c4b38989dac1edc010ce9c2f3941d301ba5085da6d3b012d41a9eb5714613a12808101bf922dad62

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F47.tmp.txt

Filesize
12KB

MD5
2143406193e94e7dfebffe6b8ef93522

SHA1
08735158efacabab7207a4bfef8cbe1077e49a3f

SHA256
286b95c6616711839dd060bbca28494ace1c6ba68db5882882fb2f936588b5eb

SHA512
9e38b57ff7494cc7e57055802028a200671647dde2f26063fb797c96004615dea713334cb27551f9fe3618c328e276fb32335168edc0d62e8d8979a75e1ce942

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER96E9.tmp.csv

Filesize
32KB

MD5
e9d20523a0cd345418421324507f3149

SHA1
f6c9eb2d0abe1b080c0606f198ab8b91e83d1895

SHA256
1f04b081a15843491f74ee8ba8d3fa711a1f290acd5a67639b767530bb478ffd

SHA512
ddf4ecfe4ba4ecdfdbec16c0d75cbad8146fba61503ff6e120b5bae22fdec35ca7956b50aee78abd52cd4bc5e78d64aed341599e6b2f1c07c571eff70f9f5065

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER96FA.tmp.txt

Filesize
12KB

MD5
959aa6ed420d413b0fb7e360e760d806

SHA1
a567d51f96f833e72c01ee4299fca025f708306b

SHA256
3e362c944ea7609010b2d45478c20013b4d104b1fd2f3d390229fea61f7b0827

SHA512
d79a4b78475e48983c3926f64490915860ddfe1b6bd874b7493ea32f1b33d8d31a7b32c3a734c5ebf3c2b1b4c27a862a4b49f9ead0a2911f9570df6d28079ef7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFF1.tmp.csv

Filesize
31KB

MD5
3d76cc18b2c469de79a2c96bff2909bb

SHA1
eaa38ee504c3d06800ac3111b41b1267e020e6d7

SHA256
35bda1c1e3a95602d13c614e91edbc949695f87170c4e532dc970fd5df8c05bb

SHA512
695159f5e22e71cb90f62decbb7faea40b02893fa588eb2f5cf6d1c2c0583cffcb7a46fc9c31467f60f137b65b7d4c5b952b88dfe42df55d0e74751465a5cdcb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFF2.tmp.txt

Filesize
12KB

MD5
658328e11d6988ec34c91f4e0abf5ea1

SHA1
414d02090d7d663079673416b422e69eec9dd2e3

SHA256
dc730988f77d0f2e88fd81acce2a89798e37e8d03a10b704804aa7a8f7e156a4

SHA512
6ed8e2740c2c6252c92e44028fe5a94a63997503e1c03261e787d4f683f02984e746bc8ca3dc326dfeebcc100cb998609ac21fdcb0bebec3f875ee37c3bbe9ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
4a673ecdaf8b070718cc34a72146b973

SHA1
ceca735afdd0e22eed22b463593ac2bdfed368d0

SHA256
472cf32889af656436388e3c06332b9aacf09a302eb0b5568edd126b0f9ce1ea

SHA512
9991da51107044e44c69445a3d2c1956645b1f570f92f11b14d4f38c5b075d45414cafce4252734773617d1b68dc3c86bae9f2f9caead6b711ed30557018f37d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0bffc24101feb9271947fbeed75fe047

SHA1
d992ae691f2114134eae3c902ae09613eccabc72

SHA256
d0a1722ffed9730b6a493a4992d7267c311e18bbc3ef8fa69f032ad62d4a008f

SHA512
d9e9da46b0b1d9cfb973486bc88de93ca1e1df326a44c301b92084ed2a73588f9183aff71abe8f50e90fe98f547c176ae267a25cbc3e219e06ee953ee19baeb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\3060194815\1209253612.pri

Filesize
629KB

MD5
5cd3313eed51144ce9362142e68b875e

SHA1
2c6bc5c4674c024777bfa0a34a2a55358dba8b17

SHA256
8fc7c5faac253795ebc18b50d5b1d99139b95657454d43310c2b508dfe0e42bf

SHA512
6ab986b9b53aeaf0e8c9d2d5230aa74defff51b07534cdbcfe3c2322914517e84bb76e2f1e3f1dfdad674fc60ff54ffb8d5dd55a7deddeb0b6f16317f83219ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.chk

Filesize
8KB

MD5
c395cd69b578a96877d02cb0f547e165

SHA1
109c889ebaee62ba140fc36434d87d6ac8ebf424

SHA256
09a4276252f9f8147362ec98ba9c8a1a822e58fa1d3fa102187a9947b5506868

SHA512
295612e8bb3d5dd1f04c83a431534d445636a3ae40821aeedbba01b3bc8bf87f538d933b932f1f43095b361afc7b7bba1d07e6f96cefb35ebc5c3dc2f87f2a2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.sechealthui_cw5n1h2txyewy\AC\Microsoft\Windows\4272278488\2581520266.pri

Filesize
70KB

MD5
dc37deff2947a4ec8bf9b40a3dc25c49

SHA1
422bdce2dc21c634760c8b06a60c4ebf131cc592

SHA256
00dee1b03565baf7c105f1484f27a2e04d900538c153372482fbedd8cde61d85

SHA512
bbe9730344e0f648c53d2d5c518791ce8d92c1f04e1b9646bb4feca24d5f41fae255eff57ad7c36ff1d26869ad25eede25bbd4e98a59267d41ee71f3885d9dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdqvczt1.415.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_25ECA6F883D946A6BEF9391E3871D53A.dat

Filesize
940B

MD5
d6e62104a0d8615886fa0082351338ce

SHA1
ef6dc821685efb710fbe07e17d2331bb923a3ef1

SHA256
f466046757652072c334641bb374b2344dc0ef0c9c2b1473aa58499138639006

SHA512
b64796db9181abeceb1d3fb379a81a8244d8a12482cf1618d2a063c2d57db57c15d670bdc5507d1f86e48b91686a68676b2574658faa130d484fcf0003d16e78

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
c4b57dace92ff16ff1d54614dafbe40b

SHA1
2fb9d3014a081e5b1c581a2f6d4bee46cc97d249

SHA256
7bffdea7226b105c649f885c232f55ef93bd22d8b1bbad7a96ea137bb0f7342b

SHA512
4c2505aaf29d95ffedcc073e06b50242e553ef0ba5211f265202adf61185b3cea992659a53ad013a69cc62e402081d302a1ba70563c939ff293e1d7258a2ba87

Download Submit
memory/560-26-0x00000211CC3D0000-0x00000211CC3FA000-memory.dmp

Filesize
168KB

Download
memory/560-21-0x00000211CC3A0000-0x00000211CC3C3000-memory.dmp

Filesize
140KB

Download
memory/560-27-0x00007FFA853F0000-0x00007FFA85400000-memory.dmp

Filesize
64KB

Download
memory/560-34-0x00000211CC3D0000-0x00000211CC3FA000-memory.dmp

Filesize
168KB

Download
memory/640-23-0x0000022917150000-0x000002291717A000-memory.dmp

Filesize
168KB

Download
memory/640-24-0x00007FFA853F0000-0x00007FFA85400000-memory.dmp

Filesize
64KB

Download
memory/640-32-0x0000022917150000-0x000002291717A000-memory.dmp

Filesize
168KB

Download
memory/640-33-0x00007FFAC5405000-0x00007FFAC5406000-memory.dmp

Filesize
4KB

Download
memory/972-39-0x00007FFA853F0000-0x00007FFA85400000-memory.dmp

Filesize
64KB

Download
memory/972-38-0x0000020E19CB0000-0x0000020E19CDA000-memory.dmp

Filesize
168KB

Download
memory/972-154-0x0000020E19CB0000-0x0000020E19CDA000-memory.dmp

Filesize
168KB

Download
memory/2172-15-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2172-14-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2172-16-0x00007FFAC5360000-0x00007FFAC553B000-memory.dmp

Filesize
1.9MB

Download
memory/2172-31-0x00007FFAC5360000-0x00007FFAC553B000-memory.dmp

Filesize
1.9MB

Download
memory/2172-18-0x00007FFAC4BA0000-0x00007FFAC4C4E000-memory.dmp

Filesize
696KB

Download
memory/2172-30-0x00007FFAC5361000-0x00007FFAC546F000-memory.dmp

Filesize
1.1MB

Download
memory/2172-19-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2172-256-0x00007FFAC5360000-0x00007FFAC553B000-memory.dmp

Filesize
1.9MB

Download
memory/2172-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2280-7-0x00007FFAA7E03000-0x00007FFAA7E04000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x000001E13F690000-0x000001E13FBB6000-memory.dmp

Filesize
5.1MB

Download
memory/2280-254-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-255-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-11-0x00007FFAC5360000-0x00007FFAC553B000-memory.dmp

Filesize
1.9MB

Download
memory/2280-0-0x000001E124800000-0x000001E124818000-memory.dmp

Filesize
96KB

Download
memory/2280-2-0x000001E13ED30000-0x000001E13EEF2000-memory.dmp

Filesize
1.8MB

Download
memory/2280-3-0x000001E13EBD0000-0x000001E13EC12000-memory.dmp

Filesize
264KB

Download
memory/2280-481-0x000001E13F230000-0x000001E13F23E000-memory.dmp

Filesize
56KB

Download
memory/2280-17-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-29-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-4-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-12-0x00007FFAC4BA0000-0x00007FFAC4C4E000-memory.dmp

Filesize
696KB

Download
memory/2280-10-0x000001E13ECF0000-0x000001E13ED2E000-memory.dmp

Filesize
248KB

Download
memory/2280-9-0x000001E13FBC0000-0x000001E13FE8A000-memory.dmp

Filesize
2.8MB

Download
memory/2280-8-0x00007FFAA7E00000-0x00007FFAA87EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-1-0x00007FFAA7E03000-0x00007FFAA7E04000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x000001E13F270000-0x000001E13F374000-memory.dmp

Filesize
1.0MB

Download
memory/2280-460-0x000001E140280000-0x000001E14032A000-memory.dmp

Filesize
680KB

Download
memory/3384-80-0x0000000003300000-0x000000000332A000-memory.dmp

Filesize
168KB

Download
memory/3384-81-0x00007FFA853F0000-0x00007FFA85400000-memory.dmp

Filesize
64KB

Download
memory/3676-290-0x000001D55B0B0000-0x000001D55B126000-memory.dmp

Filesize
472KB

Download
memory/3676-286-0x000001D55A400000-0x000001D55A422000-memory.dmp

Filesize
136KB

Download
memory/3676-285-0x000001D55A3C0000-0x000001D55A3D0000-memory.dmp

Filesize
64KB

Download
memory/3676-284-0x000001D55A440000-0x000001D55A4C6000-memory.dmp

Filesize
536KB

Download