dcrat | 5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Size

952KB
MD5

1209550c133b7d9348abd6a9e73cf550
SHA1

5757619894aef5ec83b1a4c4bc0a3426d4ae0880
SHA256

5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6
SHA512

513b154b26b928e4aa7db95a8e4d49e6b2a5074d1d2af48311c4a8049ff4a49701ffe161e228d98b1cf9b986128bfad9803c69f73c081096342dd31dc95fe6ba
SSDEEP

24576:++O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:58/KfRTK

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3528	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3528	schtasks.exe	84

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1312-1-0x0000000000A90000-0x0000000000B84000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c93-20.dat	dcrat
behavioral2/files/0x0010000000023b59-101.dat	dcrat
behavioral2/files/0x0008000000023c8c-121.dat	dcrat
behavioral2/files/0x0009000000023c96-134.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
3068	csrss.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\PerfLogs\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Documents and Settings\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\PerfLogs\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\SIGNUP\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\appmgr\RCXA720.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\dfscli\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\tcblaunch\RCXB030.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\tcblaunch\RCXB031.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\AppxSysprep\sihost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\appmgr\5b884080fd4f94e2695da25c503f9e33b9605b83	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\tcblaunch\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wscisvif\fontdrvhost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wscisvif\5b884080fd4f94e2695da25c503f9e33b9605b83	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\KeyboardFilterCore\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wsnmp32\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\wbem\KrnlProv\WmiPrvSE.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\appmgr\fontdrvhost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\dfscli\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\tcblaunch\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wbem\KrnlProv\WmiPrvSE.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\AppxSysprep\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\wscisvif\RCXB99E.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\wsnmp32\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\tcblaunch\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\AppxSysprep\sihost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\AppxSysprep\RCXB799.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\wscisvif\fontdrvhost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wbem\KrnlProv\24dbde2999530ef5fd907494bc374d663924116c	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\wsnmp32\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\appmgr\fontdrvhost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\dfscli\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\appmgr\RCXA71F.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\dfscli\RCXA926.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\AppxSysprep\RCXB72B.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\System32\KeyboardFilterCore\spoolsv.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\dfscli\RCXA925.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\wscisvif\RCXBA0C.tmp	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\System32\KeyboardFilterCore\spoolsv.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Program Files\MSBuild\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\csrss.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\886983d96e3d3e31032c679b2d4ea91b6c05afef	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Program Files\MSBuild\RuntimeBroker.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\csrss.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\Speech\backgroundTaskHost.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\DtcInstall\explorer.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File created	C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
File opened for modification	C:\Windows\DtcInstall\explorer.exe	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4764	schtasks.exe
528	schtasks.exe
3772	schtasks.exe
1008	schtasks.exe
1604	schtasks.exe
3116	schtasks.exe
2944	schtasks.exe
4808	schtasks.exe
3640	schtasks.exe
424	schtasks.exe
2540	schtasks.exe
2576	schtasks.exe
2188	schtasks.exe
4492	schtasks.exe
3424	schtasks.exe
5008	schtasks.exe
3660	schtasks.exe
3756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Token: SeDebugPrivilege	2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Token: SeDebugPrivilege	3068	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2564	1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe	101
PID 1312 wrote to memory of 2564	1312	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe	101
PID 2564 wrote to memory of 712	2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe	117
PID 2564 wrote to memory of 712	2564	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe	117
PID 712 wrote to memory of 3816	712	cmd.exe	119
PID 712 wrote to memory of 3816	712	cmd.exe	119
PID 712 wrote to memory of 3068	712	cmd.exe	121
PID 712 wrote to memory of 3068	712	cmd.exe	121

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
"C:\Users\Admin\AppData\Local\Temp\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1312
- C:\Users\Admin\AppData\Local\Temp\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
  "C:\Users\Admin\AppData\Local\Temp\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4AA2fPbZ0.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3816
  - - C:\Documents and Settings\csrss.exe
      "C:\Documents and Settings\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\appmgr\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\dfscli\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\PerfLogs\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\tcblaunch\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\WinMSIPC\Server\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\AppxSysprep\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\wscisvif\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Documents and Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\KrnlProv\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KeyboardFilterCore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wsnmp32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d

Filesize
808B

MD5
e86f01aa3a827d1092387917f420b336

SHA1
1add285de5c6950a88a4ea99fcb1880a00e4ff89

SHA256
adc4a44e61e6844675309e239208f5d43a74319b6a696d9715761280524be70c

SHA512
2c3ca2315b6fcaeb65cc73c18993b8738b2c73543d35d5b62b6dbf02e7ce8b935ce12d14c29f035df0e84522758b456084dded489467e20840c75b5471641263

Download Submit
C:\ProgramData\Microsoft\WinMSIPC\Server\Idle.exe

Filesize
952KB

MD5
c782994969a65c3c996feffb4852a3de

SHA1
b324bdae8a4f5e4240f369bd8d77d340ab21637f

SHA256
263ca9606fb85222992064e44d7c104e449fdeae676796135e73a5d286be2c21

SHA512
512da37773dbf41e5aa3a1c2e6cf7c2006c7f2793053532a97b00202a4205dc8e6cbf01557b09812e6e8ccb0f8ece34ee0896a95b0bdce98fb8b5eba199282ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4AA2fPbZ0.bat

Filesize
199B

MD5
c582f87f0a086132ad8590fbb286bcfd

SHA1
332d47ab173547be683421f30dac88b68af559dd

SHA256
f59e29b70b211c222c6bb9ee29514a88e4cf04de8afad1ecd209765ae93f3b78

SHA512
16fb6fc5df445c0b90c869da81e3556f0ed223a93b9169da44a5a84967699db1e097d7bd97d1de8999e93c2b01678f38bf3eb7cdc4d101dafadb09e2b7e8ce36

Download Submit
C:\Windows\System32\AppxSysprep\sihost.exe

Filesize
952KB

MD5
56809da4864fa8c53abe0a218769ba38

SHA1
af3812db4a846a308aaaa49345d6d3b15f68cd44

SHA256
6e183061c081951e5c926af2bb4d6c323981a9dbd8e000882575e25fc667055c

SHA512
9b3784a69b21958dc129c5a231a946f855790ce1cde515a10f6d80f22ccc824c99095ad8ab23963ebe4388bad224c7421b6af169955f8fe95b541123a24d27e8

Download Submit
C:\Windows\System32\tcblaunch\RuntimeBroker.exe

Filesize
952KB

MD5
1209550c133b7d9348abd6a9e73cf550

SHA1
5757619894aef5ec83b1a4c4bc0a3426d4ae0880

SHA256
5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6

SHA512
513b154b26b928e4aa7db95a8e4d49e6b2a5074d1d2af48311c4a8049ff4a49701ffe161e228d98b1cf9b986128bfad9803c69f73c081096342dd31dc95fe6ba

Download Submit
C:\Windows\System32\wscisvif\fontdrvhost.exe

Filesize
952KB

MD5
db8edd01b5d18c07a6fd5e02c2ec53a6

SHA1
5498036052e716688c86b6009f6ab9ce4eb3b496

SHA256
d4d7ce7a8653727c3852bd1433f8f44fa2de694bdfb87c978dcffc4f08ec6b5e

SHA512
e86e8886ed70b3ed9c312467f27d8568e09e04eff5873521f200119df4a2d81f9c855dc571bd19154096fafb84896a63eed797333cfb149092b3ff36228fce0e

Download Submit
memory/1312-5-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download
memory/1312-10-0x000000001B660000-0x000000001B66C000-memory.dmp

Filesize
48KB

Download
memory/1312-9-0x000000001B650000-0x000000001B65A000-memory.dmp

Filesize
40KB

Download
memory/1312-11-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/1312-8-0x000000001B640000-0x000000001B648000-memory.dmp

Filesize
32KB

Download
memory/1312-7-0x000000001B630000-0x000000001B63A000-memory.dmp

Filesize
40KB

Download
memory/1312-6-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/1312-0-0x00007FFFA2C73000-0x00007FFFA2C75000-memory.dmp

Filesize
8KB

Download
memory/1312-4-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/1312-3-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/1312-141-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/1312-2-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/1312-1-0x0000000000A90000-0x0000000000B84000-memory.dmp

Filesize
976KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\", \"C:\\Windows\\DtcInstall\\explorer.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\csrss.exe\", \"C:\\Documents and Settings\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wsnmp32\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\SIGNUP\\csrss.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\appmgr\\fontdrvhost.exe\", \"C:\\Windows\\System32\\dfscli\\RuntimeBroker.exe\", \"C:\\PerfLogs\\backgroundTaskHost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe\", \"C:\\Windows\\System32\\tcblaunch\\RuntimeBroker.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\Idle.exe\", \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\AppxSysprep\\sihost.exe\", \"C:\\Windows\\System32\\wscisvif\\fontdrvhost.exe\", \"C:\\Documents and Settings\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\wbem\\KrnlProv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\KeyboardFilterCore\\spoolsv.exe\""	5fdd8a6cd6e75dacc368bb361235cc83646148e395e839c11a47234ec662cbe6N.exe