dcrat | 80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e

Analysis

max time kernel
1793s
max time network
1796s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
Size

745KB
MD5

5e82f4a00b31da2ecd210a7c7575e29d
SHA1

518e5f78b256ee794ebbc8f96275993a9252be23
SHA256

80446e16d616fee4a8ffeef94f2dc1f5737435d07a111de9622f13a98a5f196e
SHA512

5f794743493acff89407966cdc2b3df386389d90f2468ec5a32c4df2a2ba6dfddea60886ab14a6e9a1b4ddc173989278e2c7397d430aea8c01297b40d782a900
SSDEEP

12288:sBpoIY///1UFxJF80IsoBVnsNxd2LFErkUzw2jtQsnmeTRf7qrc5PPjr21tM/7nf:ZIY/4FcHG/MnUzVhmMRfG4lLr2M/T

Score

10^/10

dcrat njrat hacked discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	TextInputHost.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1700	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1700	schtasks.exe	92

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0002000000022b25-6.dat	dcrat
behavioral3/files/0x00080000000234d0-37.dat	dcrat
behavioral3/memory/1552-39-0x0000000000EA0000-0x0000000000F94000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	gggg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	reviewdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe

Executes dropped EXE 4 IoCs

pid	Process
544	gggg.exe
1052	Server.exe
1552	reviewdriver.exe
3672	TextInputHost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\22eafd247d37c3	reviewdriver.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	reviewdriver.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe	reviewdriver.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\22eafd247d37c3	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	reviewdriver.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	reviewdriver.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe	reviewdriver.exe
File created	C:\Program Files (x86)\MSBuild\TextInputHost.exe	reviewdriver.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\ea9f0e6c9e2dcd	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	reviewdriver.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\22eafd247d37c3	reviewdriver.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhostw.exe	reviewdriver.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\uk-UA\winlogon.exe	reviewdriver.exe
File created	C:\Windows\uk-UA\cc11b995f2a76d	reviewdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gggg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	reviewdriver.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	gggg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1816	schtasks.exe
4512	schtasks.exe
1712	schtasks.exe
1696	schtasks.exe
1484	schtasks.exe
1844	schtasks.exe
5020	schtasks.exe
2904	schtasks.exe
4704	schtasks.exe
988	schtasks.exe
2788	schtasks.exe
2312	schtasks.exe
3628	schtasks.exe
4424	schtasks.exe
3100	schtasks.exe
3576	schtasks.exe
956	schtasks.exe
1596	schtasks.exe
3132	schtasks.exe
640	schtasks.exe
2180	schtasks.exe
4648	schtasks.exe
1960	schtasks.exe
3412	schtasks.exe
4012	schtasks.exe
4508	schtasks.exe
3564	schtasks.exe
624	schtasks.exe
3572	schtasks.exe
1560	schtasks.exe
3292	schtasks.exe
4556	schtasks.exe
3484	schtasks.exe
4384	schtasks.exe
2940	schtasks.exe
4356	schtasks.exe
3856	schtasks.exe
3076	schtasks.exe
3616	schtasks.exe
4008	schtasks.exe
3024	schtasks.exe
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1552	reviewdriver.exe
1552	reviewdriver.exe
1552	reviewdriver.exe
1552	reviewdriver.exe
1552	reviewdriver.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe
3672	TextInputHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1052	Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	reviewdriver.exe
Token: SeDebugPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: SeDebugPrivilege	3672	TextInputHost.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe
Token: SeIncBasePriorityPrivilege	1052	Server.exe
Token: 33	1052	Server.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 544	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	86
PID 1060 wrote to memory of 544	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	86
PID 1060 wrote to memory of 544	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	86
PID 1060 wrote to memory of 1052	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 1060 wrote to memory of 1052	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 1060 wrote to memory of 1052	1060	АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe	87
PID 544 wrote to memory of 4792	544	gggg.exe	88
PID 544 wrote to memory of 4792	544	gggg.exe	88
PID 544 wrote to memory of 4792	544	gggg.exe	88
PID 4792 wrote to memory of 4916	4792	WScript.exe	93
PID 4792 wrote to memory of 4916	4792	WScript.exe	93
PID 4792 wrote to memory of 4916	4792	WScript.exe	93
PID 4916 wrote to memory of 1552	4916	cmd.exe	95
PID 4916 wrote to memory of 1552	4916	cmd.exe	95
PID 1552 wrote to memory of 3068	1552	reviewdriver.exe	139
PID 1552 wrote to memory of 3068	1552	reviewdriver.exe	139
PID 3068 wrote to memory of 2108	3068	cmd.exe	141
PID 3068 wrote to memory of 2108	3068	cmd.exe	141
PID 3068 wrote to memory of 3672	3068	cmd.exe	144
PID 3068 wrote to memory of 3672	3068	cmd.exe	144
PID 3672 wrote to memory of 3676	3672	TextInputHost.exe	145
PID 3672 wrote to memory of 3676	3672	TextInputHost.exe	145
PID 3672 wrote to memory of 3100	3672	TextInputHost.exe	146
PID 3672 wrote to memory of 3100	3672	TextInputHost.exe	146
PID 3672 wrote to memory of 2716	3672	TextInputHost.exe	179
PID 3672 wrote to memory of 2716	3672	TextInputHost.exe	179
PID 2716 wrote to memory of 1896	2716	cmd.exe	181
PID 2716 wrote to memory of 1896	2716	cmd.exe	181

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reviewdriver.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe
"C:\Users\Admin\AppData\Local\Temp\АОАОАОАОА БЕСПЛАТНЫЕ РОБУКСЫ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\gggg.exe
  "C:\Users\Admin\AppData\Local\Temp\gggg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\ChainComponentBrowserwin\reviewdriver.exe
        
        "C:\ChainComponentBrowserwin\reviewdriver.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nuw2SeGnKC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2108
        
        C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe"
        7⤵
        Modifies WinLogon for persistence
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074a59c4-39c4-4532-bacb-ff0e158810e8.vbs"
        8⤵
        
        PID:3676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b8637d-b07b-4ac3-a4c9-f3d7f993be90.vbs"
        8⤵
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1896
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\ChainComponentBrowserwin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\ChainComponentBrowserwin\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ChainComponentBrowserwin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\ChainComponentBrowserwin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewdriver" /f
1⤵
- Process spawned unexpected child process
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewdriverr" /f
1⤵
- Process spawned unexpected child process
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvc" /f
1⤵
- Process spawned unexpected child process
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvcs" /f
1⤵
- Process spawned unexpected child process
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
- Process spawned unexpected child process
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
- Process spawned unexpected child process
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
- Process spawned unexpected child process
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
- Process spawned unexpected child process
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
- Process spawned unexpected child process
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostw" /f
1⤵
- Process spawned unexpected child process
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostwt" /f
1⤵
- Process spawned unexpected child process
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
- Process spawned unexpected child process
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
- Process spawned unexpected child process
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sysmon" /f
1⤵
- Process spawned unexpected child process
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sysmons" /f
1⤵
- Process spawned unexpected child process
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfc" /f
1⤵
- Process spawned unexpected child process
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfcu" /f
1⤵
- Process spawned unexpected child process
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogon" /f
1⤵
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogonw" /f
1⤵
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmd" /f
1⤵
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "cmdc" /f
1⤵
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainComponentBrowserwin\121e5b5079f7c0

Filesize
73B

MD5
cee3f3db5f4d8bea7a39fc4d1aa1f45d

SHA1
0372a71066e0de1fb66301401e673683509d087a

SHA256
37e117201e838c1b71eb73e79933c8bcf99adcbe61f3a250a042de8a1045f66c

SHA512
4ee8b3a2771d9cd345db627fc7901f1bc278bf963bbe2d9a8f2edbf47b3d2f1460763fceab689bd42a56315a0c8b047443025d548300595628e496fb9ae9db67

Download Submit
C:\ChainComponentBrowserwin\5b884080fd4f94

Filesize
147B

MD5
a10ef0420e4fa90d6a01964e99a183ff

SHA1
490e962a4ab4391573ae0f77c0d9612fac1ea397

SHA256
2ee4a33385a07e228de172f26f36dee391cb5149954050f069b04b87c9e0bc8c

SHA512
af5903e1b39835788918a315fc7bb7201893f0a8b03065d3aea35212d3349d653dce8e479f4dfa662e833d5c98417b1b66e02a304baf7474d65a74e28e261a20

Download Submit
C:\ChainComponentBrowserwin\ZckenFSJPCIUJWjfI5CZYMEmaPZVg.bat

Filesize
46B

MD5
3e83fda43f1932bb71d930d2f89e68b2

SHA1
1fa2f89990c21a7f0eebfbf06f7064c19e46b081

SHA256
ecb36758516d13f656baac1a37f3af9dd3e683e8aab3847d65bb82c9eb05cb51

SHA512
d6efea92b244d10f5a0e2b228782cc7e1b45fcf262dcc7ea709a9ab8fa458b2e8d3e3bfa4cdf4a4852812d01bb9ff1c7bba65abbe62527e5a84e5b3b15f8ea9b

Download Submit
C:\ChainComponentBrowserwin\reviewdriver.exe

Filesize
948KB

MD5
2e2c059f61338c40914c10d40502e57e

SHA1
e6cb5a1ffdf369b3135c72ab12d71cc3d5f2b053

SHA256
8e4df816223a625bf911553d5f80219f81fc44f07ba98c95f379fd12169c2918

SHA512
1b1f2dae55f50874532b37ad4ab74a54452f65d7499004b37b0afc3dc2c1d16d66a0e41c1733ac1f4cff9993325d32ea714b441c06ba4eba350136835c746d3e

Download Submit
C:\ChainComponentBrowserwin\zJJP8u9NRTk6u.vbe

Filesize
230B

MD5
b9b72befe720ec640eb23938f752a453

SHA1
c621298c3cfac9aa9c5cdfebd5efa0a1b01c7b34

SHA256
bddc35ffa29cfc10fc39778a551335781091aec61771943662e66cdf4c4a07ad

SHA512
4d119e2aba40fe14d624690103d08620369eeeb0a922a3091027a7cf90597db7d491653ed356eb85a45104bdcbd3eb5876e5c4c508ed85d0e235d71a65578f26

Download Submit
C:\Program Files (x86)\MSBuild\22eafd247d37c3

Filesize
761B

MD5
16071ea7bde7bf0eaefafd56e34637cf

SHA1
23b10fe7f08fb6f4f899488b7402911aba520a82

SHA256
1929e521dece094537998622df7455a5ab352de8a07e0e9241b8a8ce61d19892

SHA512
b37b0c2d3d0b86cc14f3c7306e6e9035a52290f34d3d9c72805489892285551a1480e71ca946005f159a7b7c8d0bc99af0a3d38c14252e4828feab9798964daf

Download Submit
C:\Program Files (x86)\Windows Media Player\Media Renderer\ea9f0e6c9e2dcd

Filesize
934B

MD5
2dc7d4a64abbcea7ed4c1484119b26ff

SHA1
7bace5973dbe5208ae564b1d87091190c8a6b8d8

SHA256
d7814e86c87cd083bfe390ea2624e932e32d7b791e7efc957e0890b4f587c662

SHA512
639e5df9342fafbf70aa7dae3d8676247963c35dc975ad8819f6e5a477c4c1c52772b2eddf2238cadd291bd4d3a4391e33321f750e9d549a160eb255a887e536

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991

Filesize
166B

MD5
3e4d8235eddbee44163a9c798d9410d4

SHA1
83859ae5e3db24d7c92865f32ef1d5be126d7f4a

SHA256
8683ca7bd9aeae9538c0e237ea56b16417f4f7e86f2923dd3d415faedf3d3ff7

SHA512
5b72e2b79328670e3bb6e007379efca1761612d7e8404a0928ec9be7c35b4178f838aa9826b83a68f186dafeb74b707005af72123d03a50e0d3714a92aff0715

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\22eafd247d37c3

Filesize
69B

MD5
e6a6bcfcad402baff02d2b8ce2ad3aac

SHA1
71ab99192f1a5c6a21f8c487686758c28dfec3a7

SHA256
32d6d4e351bc1d592a8df07d7c8cd867f0f2c28be0db1990eb5a981b4fdb361e

SHA512
3ba941e8005d6952073ce968795211bb627bc15001b3d8c01090d869f58e1afbe8d2377ddd84fe4c63664726c8a33ae955640ae9e06f4cec5f6f42822c177641

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\22eafd247d37c3

Filesize
732B

MD5
e206d85647b8030f0096b3c057f8dca6

SHA1
0421a6b7424346917132af076969a847cff6abcf

SHA256
c9efda9594333bb174bdc90f18266c69c268643d1214a0b31877097cd1ec3be2

SHA512
c82ed049272af0ed98233931204749d0d988bd340cf249dbc78a4335b57e5f48fe0f2e86a25685b8c9753dbe93f436dbbe27cbe77230e6dd281c524f30f95aa4

Download Submit
C:\Program Files\Uninstall Information\ebf1f9fa8afd6d

Filesize
821B

MD5
4bb5c48af6688dad5edcddcff1e6428c

SHA1
553252eeca3b57ade1735e30705cf4b17a94b2b3

SHA256
b2811f83e63356da24e9dc13100d34718c91135359034b5bc91e192f33482b6a

SHA512
bed8d9faabadc068335be9ce37bd21d6c3a63eceadbc89dd0562a4384c37c89e18a365810f148915755c74bd1c545d167a4adaf03f115b69eabf2479a81af8bf

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9

Filesize
768B

MD5
045241b7328651f2aca59536b41129b0

SHA1
eadf85090cd5279b38466ae6309f995f6cdccdf7

SHA256
1393e07345ba0a1012a05cfd0dd43a8cc8d3b7d0860bbc3e76a5c6bf450b06d6

SHA512
13ff27c88c3f9de74e1eed12c6c879e319e7d0693667f5ab6e77ac579a86ff2f33cce3eca60411c6eea88f69d4c6456b692df7ded4d0e055deeaa7a71d259e86

Download Submit
C:\Recovery\WindowsRE\0a1fd5f707cd16

Filesize
51B

MD5
b77f18acbf442eb221ab9b94d8e0186d

SHA1
75a79fbc03de84ce2b0906913ed297dd2d8df91d

SHA256
362f1d994a4caffa08ecb3ea96894e5e0268d69ce299d2db9305bbe13f485066

SHA512
e82a65f98ee12c8fb106de4a8e5e13ef4aa998e531828f64caec375b4ebb22d8b60af3685fbfb6eda6674bac6210b7f8da5431936fb973f8b9866781aec2c7bf

Download Submit
C:\Recovery\WindowsRE\9e8d7a4ca61bd9

Filesize
79B

MD5
06e93a0a8164ebc4b6c4f36d310b2f43

SHA1
61143e2ecc864f3f33198541daacedbeeceb4880

SHA256
069270f9e3106a390e94d0eda73a5f7516d0e3ab4017936eeeee3fc5a5dec57f

SHA512
79b22b56c231e05166091d462cea354d1c5783e7e4946a5017d8482e8dac56af965120efb32b04a834555b675127d754a7eda2692ee07970e5520a35246a0f77

Download Submit
C:\Recovery\WindowsRE\ea1d8f6d871115

Filesize
688B

MD5
840551e558b3a9a4edc0b1d5df5a3b43

SHA1
7d72f643fc3fb332e0dec779624f16f08840bac1

SHA256
f45fd560eef0e3ff334e8bdd9cc81d726c83d7346983c9475f278720a30a1862

SHA512
29a2837cd0ad4dc4c9573aa9fabfab439c163c32c6c5a98c347ca7b22e06da89030229920409d2131df5e4d72ef01ef68bce3b8d4ae50cc313b252590a6a734e

Download Submit
C:\Users\Admin\AppData\Local\Temp\074a59c4-39c4-4532-bacb-ff0e158810e8.vbs

Filesize
795B

MD5
cdba1c98f1496d19ac622e4e70e316eb

SHA1
67f2253c0c4dbe0579bbcde1a7c28edc1ebadca1

SHA256
6e78f6d78533dd6faaa92505829aa29ee9b6862fed9a4f55f54318493421b6be

SHA512
10a2a264d75b9fe34491a6d0a5bcca790b3f338280e7eb1bd3734ea50950ed46b8988cd3a3425c9361d04201f4e743ded1daacc59295e6d03dc5587c2f3e41d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nuw2SeGnKC.bat

Filesize
284B

MD5
8ebcc8e226bfb6d214ab3f205871b040

SHA1
2afc88e046897c0e352ed7ce5a6eaa1f68863693

SHA256
ef85034a1346013a04d390d60c8953a95959d8cbbe8c806b71e205894a2ba5ea

SHA512
84b46d9c63769dfd8e663a225f1ae282f6cfce9ff74e942f89e1753bae1112d933b1375245898d3e1831c890d6a74a4d0a40af545473927d28e8ae942be14091

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
43KB

MD5
eab8788760465b2b46598ff289b4b8c4

SHA1
8c7b27c7ec66ea41f7e20afaf1394fb71b7c4a35

SHA256
7ba3084c6d0fcc0e6e1fedfdd04d24768b819aaf309b933d0f4243c37297821f

SHA512
996471d395c297950a4df7140cf0dda388f87ad8a26fb99feb35fa265873b77a7e100520df69770fbe1554ad4bf7f877f9214a61b44326353935dfe7def12ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7b8637d-b07b-4ac3-a4c9-f3d7f993be90.vbs

Filesize
571B

MD5
28fc686b2b54f47297bf3cf19691430d

SHA1
156a16db15736297167905e51c553e1d6b5a5bff

SHA256
b2aaee048b38ace6850445c767bc40b90c80e535dfc0cbe12e2a64d18322323c

SHA512
0fd1413b0538002ffd2083e2818e4c54dc9629b8f067850a3a8ff426e39c7eea990b7701dfe5036f67d08c0dcd07caea75585aed0b13b39aa0b79198159c58ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggg.exe

Filesize
1.2MB

MD5
c5607848210b7d664771584276d7d7ae

SHA1
9a395fbac63306fa240e51646cad80a803064352

SHA256
16de1516d3fc00a0873b270ffa44f20c13524827a88798e2743afe0bb06b9815

SHA512
ef9c622ee75161fc038456a2a7e7b9e881f66852dd06331fa2fecac13ce4d585b332672d51a6c8ab3dfd5a99de22b863dd52b53750669d0175aea45ed08a6e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

Filesize
421B

MD5
8dd33a7de8661311edee52239bc79884

SHA1
2599bded051b1a33f3871610501bdf6518fa56cb

SHA256
3c3aac8bac05cf5ef07f478b72f349d8c8002f1079114fd0189f750e2e9a2059

SHA512
ca9bba789f2ad2c5e20c45b44e159eb25133e9d6bf296b03baf2cff9c6a4e6dd149e2a7ab87acf10131bdb0230ccaffe2d185c067cf5cdf17bd25e3bbedae475

Download Submit
C:\Users\Admin\Local Settings\6203df4a6bafc7

Filesize
810B

MD5
a9ce99caa7cc42c8bba5f619568267b7

SHA1
88e28981c4bbd440ab90ec41394600fa9fba3ef0

SHA256
e7d3da83db0581585ed069b7b113b955a38e49592a3f54a24b4a98f9f41481bb

SHA512
40d8c486f6035610f2c1462aa0ccdb7f788881d32e20710d1d72cb4c931f35ed682920f1b289fb316a5c8f51c607f83aafbc8cccc977b87b185d6557564d6803

Download Submit
C:\Windows\uk-UA\cc11b995f2a76d

Filesize
55B

MD5
e8cf9059ed7066bda4bb4599cc9be815

SHA1
5da71ab9b62cb97fad516858bf438e1ea61cd030

SHA256
6354fc055c3494d85a2d1752412f75657c355ee31a0175b5bac19468b60878fb

SHA512
c20f8b361af007f7744746ad6bf65dfd1d95027d04238486b9493aa191f9eae94c51a9aeb02d396f16b1ae5ef2ef1fa98b5110d16a19bad9ed21756e70e651a1

Download Submit
memory/1052-24-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/1052-79-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/1052-70-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/1052-20-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/1052-21-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1052-23-0x0000000004D30000-0x0000000004DCC000-memory.dmp

Filesize
624KB

Download
memory/1052-26-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/1052-80-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1052-25-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/1060-0-0x00007FFF79C83000-0x00007FFF79C85000-memory.dmp

Filesize
8KB

Download
memory/1060-19-0x00007FFF79C80000-0x00007FFF7A741000-memory.dmp

Filesize
10.8MB

Download
memory/1060-7-0x00007FFF79C80000-0x00007FFF7A741000-memory.dmp

Filesize
10.8MB

Download
memory/1060-1-0x0000000000A20000-0x0000000000AE0000-memory.dmp

Filesize
768KB

Download
memory/1552-39-0x0000000000EA0000-0x0000000000F94000-memory.dmp

Filesize
976KB

Download
memory/1552-40-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/1552-42-0x000000001BBC0000-0x000000001BBCA000-memory.dmp

Filesize
40KB

Download
memory/1552-41-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

Filesize
48KB

Download