colibri | 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Size

4.9MB
MD5

d6c32cc92aff05247e665fec5d1ca5ed
SHA1

864e040db2c99477669bbe45261d8d93ebdba021
SHA256

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
SHA512

b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 30 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4988	schtasks.exe
4488	schtasks.exe
392	schtasks.exe
2976	schtasks.exe
1040	schtasks.exe
4972	schtasks.exe
File created	C:\Program Files\Windows Sidebar\22eafd247d37c3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
3408	schtasks.exe
4948	schtasks.exe
4192	schtasks.exe
4052	schtasks.exe
4768	schtasks.exe
4324	schtasks.exe
3100	schtasks.exe
2212	schtasks.exe
4388	schtasks.exe
2180	schtasks.exe
2952	schtasks.exe
3760	schtasks.exe
2436	schtasks.exe
1384	schtasks.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
3216	schtasks.exe
2140	schtasks.exe
3956	schtasks.exe
2428	schtasks.exe
3900	schtasks.exe
4824	schtasks.exe
2660	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1712	schtasks.exe

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2492-3-0x000000001B370000-0x000000001B49E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4688	powershell.exe
4412	powershell.exe
4644	powershell.exe
3728	powershell.exe
2252	powershell.exe
3840	powershell.exe
1380	powershell.exe
4828	powershell.exe
4736	powershell.exe
336	powershell.exe
1520	powershell.exe
4488	powershell.exe
4536	powershell.exe
1316	powershell.exe
1096	powershell.exe
2284	powershell.exe
1952	powershell.exe
3400	powershell.exe
2696	powershell.exe
2688	powershell.exe
3220	powershell.exe
2000	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 35 IoCs

Processes:

tmpC16F.tmp.exetmpC16F.tmp.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exetmpD2D1.tmp.exetmpD2D1.tmp.exedwm.exetmpE937.tmp.exetmpE937.tmp.exedwm.exetmp1A69.tmp.exetmp1A69.tmp.exedwm.exetmp4B0E.tmp.exetmp4B0E.tmp.exedwm.exetmp6675.tmp.exetmp6675.tmp.exedwm.exetmp82B8.tmp.exetmp82B8.tmp.exetmp82B8.tmp.exedwm.exetmpB2F0.tmp.exetmpB2F0.tmp.exedwm.exetmpCF03.tmp.exetmpCF03.tmp.exedwm.exedwm.exetmp1B7D.tmp.exetmp1B7D.tmp.exedwm.exedwm.exetmp67B9.tmp.exetmp67B9.tmp.exe

pid	process
1596	tmpC16F.tmp.exe
3796	tmpC16F.tmp.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4620	tmpD2D1.tmp.exe
396	tmpD2D1.tmp.exe
3768	dwm.exe
2584	tmpE937.tmp.exe
5040	tmpE937.tmp.exe
1556	dwm.exe
784	tmp1A69.tmp.exe
2392	tmp1A69.tmp.exe
2284	dwm.exe
4512	tmp4B0E.tmp.exe
1260	tmp4B0E.tmp.exe
1272	dwm.exe
1500	tmp6675.tmp.exe
4068	tmp6675.tmp.exe
4160	dwm.exe
3976	tmp82B8.tmp.exe
3952	tmp82B8.tmp.exe
784	tmp82B8.tmp.exe
1688	dwm.exe
4816	tmpB2F0.tmp.exe
3608	tmpB2F0.tmp.exe
1284	dwm.exe
1800	tmpCF03.tmp.exe
3876	tmpCF03.tmp.exe
2676	dwm.exe
216	dwm.exe
2256	tmp1B7D.tmp.exe
1628	tmp1B7D.tmp.exe
2008	dwm.exe
3748	dwm.exe
2348	tmp67B9.tmp.exe
3100	tmp67B9.tmp.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmpC16F.tmp.exetmpD2D1.tmp.exetmpE937.tmp.exetmp1A69.tmp.exetmp4B0E.tmp.exetmp6675.tmp.exetmp82B8.tmp.exetmpB2F0.tmp.exetmpCF03.tmp.exetmp1B7D.tmp.exetmp67B9.tmp.exe

description	pid	process	target process
PID 1596 set thread context of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 4620 set thread context of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 2584 set thread context of 5040	2584	tmpE937.tmp.exe	tmpE937.tmp.exe
PID 784 set thread context of 2392	784	tmp1A69.tmp.exe	tmp1A69.tmp.exe
PID 4512 set thread context of 1260	4512	tmp4B0E.tmp.exe	tmp4B0E.tmp.exe
PID 1500 set thread context of 4068	1500	tmp6675.tmp.exe	tmp6675.tmp.exe
PID 3952 set thread context of 784	3952	tmp82B8.tmp.exe	tmp82B8.tmp.exe
PID 4816 set thread context of 3608	4816	tmpB2F0.tmp.exe	tmpB2F0.tmp.exe
PID 1800 set thread context of 3876	1800	tmpCF03.tmp.exe	tmpCF03.tmp.exe
PID 2256 set thread context of 1628	2256	tmp1B7D.tmp.exe	tmp1B7D.tmp.exe
PID 2348 set thread context of 3100	2348	tmp67B9.tmp.exe	tmp67B9.tmp.exe

Drops file in Program Files directory 17 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Office16\TextInputHost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Windows Sidebar\TextInputHost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Windows Sidebar\TextInputHost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\38384e6a620884	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Windows Sidebar\22eafd247d37c3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXBFD8.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\TextInputHost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Microsoft Office\Office16\22eafd247d37c3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXBD57.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

Drops file in Windows directory 1 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3970336390\OfficeClickToRun.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp1A69.tmp.exetmp4B0E.tmp.exetmp6675.tmp.exetmp82B8.tmp.exetmpCF03.tmp.exetmp1B7D.tmp.exetmpC16F.tmp.exetmpD2D1.tmp.exetmpE937.tmp.exetmp82B8.tmp.exetmpB2F0.tmp.exetmp67B9.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A69.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B0E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6675.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp82B8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCF03.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1B7D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC16F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD2D1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE937.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp82B8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB2F0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp67B9.tmp.exe

Modifies registry class 13 IoCs

Processes:

dwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exedwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4052	schtasks.exe
4324	schtasks.exe
2436	schtasks.exe
3100	schtasks.exe
2952	schtasks.exe
2660	schtasks.exe
4948	schtasks.exe
4824	schtasks.exe
4388	schtasks.exe
3956	schtasks.exe
4768	schtasks.exe
1040	schtasks.exe
2212	schtasks.exe
2180	schtasks.exe
2140	schtasks.exe
3760	schtasks.exe
4988	schtasks.exe
2428	schtasks.exe
392	schtasks.exe
3408	schtasks.exe
4488	schtasks.exe
3900	schtasks.exe
2976	schtasks.exe
1384	schtasks.exe
4972	schtasks.exe
3216	schtasks.exe
4192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1316	powershell.exe
1316	powershell.exe
1096	powershell.exe
1096	powershell.exe
4736	powershell.exe
4736	powershell.exe
1380	powershell.exe
1380	powershell.exe
4412	powershell.exe
4412	powershell.exe
2284	powershell.exe
2284	powershell.exe
4828	powershell.exe
4828	powershell.exe
1952	powershell.exe
1952	powershell.exe
1520	powershell.exe
1520	powershell.exe
336	powershell.exe
336	powershell.exe
4688	powershell.exe
4688	powershell.exe
1096	powershell.exe
4828	powershell.exe
336	powershell.exe
4736	powershell.exe
4412	powershell.exe
1380	powershell.exe
1316	powershell.exe
1520	powershell.exe
2284	powershell.exe
1952	powershell.exe
4688	powershell.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
3728	powershell.exe
3728	powershell.exe
3840	powershell.exe
3840	powershell.exe
3400	powershell.exe
3400	powershell.exe
4536	powershell.exe
4536	powershell.exe
2696	powershell.exe
2696	powershell.exe
4644	powershell.exe
4644	powershell.exe
2688	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3768	dwm.exe
Token: SeDebugPrivilege	1556	dwm.exe
Token: SeDebugPrivilege	2284	dwm.exe
Token: SeDebugPrivilege	1272	dwm.exe
Token: SeDebugPrivilege	4160	dwm.exe
Token: SeDebugPrivilege	1688	dwm.exe
Token: SeDebugPrivilege	1284	dwm.exe
Token: SeDebugPrivilege	2676	dwm.exe
Token: SeDebugPrivilege	216	dwm.exe
Token: SeDebugPrivilege	2008	dwm.exe
Token: SeDebugPrivilege	3748	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exetmpC16F.tmp.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exetmpD2D1.tmp.exe

description	pid	process	target process
PID 2492 wrote to memory of 4688	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4688	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 336	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 336	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1952	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1952	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4736	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4736	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1596	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpC16F.tmp.exe
PID 2492 wrote to memory of 1596	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpC16F.tmp.exe
PID 2492 wrote to memory of 1596	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpC16F.tmp.exe
PID 2492 wrote to memory of 4412	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4412	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 2284	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 2284	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1520	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1520	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4828	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 4828	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1096	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1096	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1380	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1380	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1316	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2492 wrote to memory of 1316	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 1596 wrote to memory of 3796	1596	tmpC16F.tmp.exe	tmpC16F.tmp.exe
PID 2492 wrote to memory of 4512	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
PID 2492 wrote to memory of 4512	2492	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
PID 4512 wrote to memory of 4620	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpD2D1.tmp.exe
PID 4512 wrote to memory of 4620	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpD2D1.tmp.exe
PID 4512 wrote to memory of 4620	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4620 wrote to memory of 396	4620	tmpD2D1.tmp.exe	tmpD2D1.tmp.exe
PID 4512 wrote to memory of 4488	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 4488	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 4644	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 4644	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3840	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3840	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2252	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2252	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3728	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3728	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2000	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2000	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3220	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 3220	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2688	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2688	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2696	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 2696	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 4536	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 4512 wrote to memory of 4536	4512	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
- C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
  "C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD2D1.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
    "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b883c56-9b19-4e45-b0ce-3887352ec10b.vbs"
      4⤵
      PID:2820
    - - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba9d06ba-8f9a-45f3-927a-33b1c57a4314.vbs"
        6⤵
        
        PID:4440
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6859041-0437-42bf-a199-50f09214ac64.vbs"
        8⤵
        
        PID:2676
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be235e87-96eb-43ee-a6a1-d85ca5d59f06.vbs"
        10⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c036ae-5dbc-42c1-a1a3-68dac4ecd62d.vbs"
        12⤵
        
        PID:1376
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef993b8-755b-4f63-afcd-5573097a53bc.vbs"
        14⤵
        
        PID:1040
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9bb2da0-64c0-4880-96b5-718cc6f5ab13.vbs"
        16⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b118343-50fb-44a8-b912-e66f66cb855d.vbs"
        18⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b657e3d1-3f45-46a5-b130-79ed922da618.vbs"
        20⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaf86d55-63d5-4c3c-afdb-81b8d360e071.vbs"
        22⤵
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306e978f-d40b-4208-8f0c-68dbe31b0ea7.vbs"
        24⤵
        
        PID:3288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8cb4c3-51e8-4970-b21f-174abca84e4a.vbs"
        24⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f353457-d0de-4d4b-965c-86382ccf386f.vbs"
        22⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\361118b5-3b8c-419c-bff6-cab39d6eb4ca.vbs"
        20⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B7D.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be3c471e-f6a7-4259-88cf-ac78453c545e.vbs"
        18⤵
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c152e26-6f48-4d05-ab17-db7588895603.vbs"
        16⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCF03.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7be567-a419-47d7-ae4c-6f9ac13facf7.vbs"
        14⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB2F0.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d927763-7d95-420e-978d-14352802c5f9.vbs"
        12⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91fb3642-d120-46dd-8780-f98eb56a9fcd.vbs"
        10⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed08ede-3f68-4125-ba55-f32f252afd68.vbs"
        8⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1260
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5b66ae-bf19-41e6-9aa7-b0934f92c9b0.vbs"
        6⤵
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A69.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c1ab38-1255-4656-82bf-b3a3f2e7a90b.vbs"
      4⤵
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE937.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2dadcdbb2b489045245be9cb53dcb850

SHA1
9f3f86b9ce5f9374342dd0304e88d156f5684aac

SHA256
6d598c5833911eccbcbe6ae18c0750982790545184166bf3414e1fe63318cf85

SHA512
952c68c24234b23c89f25a43c44dc926115bf0295e6483da1de52f6d9fac056e20d362286a83ea846e4a3f35fa346602b92677010f0a6adb236231b20fd439bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ca5f066b9f9fe5524bc68022defc0152

SHA1
36002bf06b2e5d6e2e0e19d3d7274f11e0c5cec2

SHA256
2020884668619f82b26cf38f827e154af76652f36ba1ddd41a6b93eb585d4f43

SHA512
a39310d4e931f133be3f894c50bf557b229adf9fbd9e0cefd47a072a7fbe2aeb1b593fb37e3d699b1c45d06ef62a6e02d39e383701e9936a95bf9968a747388f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7b47377bcaba7a045dc11be31f711b3

SHA1
c915578f1139e3d0ca94d8ea73a17698771400e8

SHA256
23d457e05f8b8fc47e6617fee28d04a7e6fab993751b94514c9308e387c95a1a

SHA512
be381612f831f820e7fb04fa94c7a61954f4bba3d1b2d1112e455b41a6e9322b35e75311fbf24d5ff541a73d56bf79976e1462fee06d337341ad0953325636a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b883c56-9b19-4e45-b0ce-3887352ec10b.vbs

Filesize
747B

MD5
dad580c0ac5fc0549b08ab064a810fc3

SHA1
934042ea4f8a28ebbd432fe19477742cd53138ee

SHA256
eec874f5f416784d42bd1c4a566e8efcc71008862abf8172b6e17cfa805e62a1

SHA512
53e80c75c3e541d1d9051a48193b22a2f3a05c3f01b27906b24ea87b14fcfdffa13e6219cae9d149bcb3796d7548131cba583a0e23901914aaa465c7c8c9e3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgubp5nn.02x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8c1ab38-1255-4656-82bf-b3a3f2e7a90b.vbs

Filesize
523B

MD5
c5afec1afb7c74a0ea541ff58a76d91f

SHA1
d32941f44a9c028d6077c14fbf3494464294c6f3

SHA256
7daf225e8db0dbc0fcddb0d94a8eaffb4197ca3980d806fd924a4fecef91f393

SHA512
c3328b7de78ace26659f318e349b9fd0eaf8d44dbcb06ed419966e26d6f259a9ea9c70cd5354f6b691edc52fa7b36196582d625187e18beb001cfc028dd96fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba9d06ba-8f9a-45f3-927a-33b1c57a4314.vbs

Filesize
747B

MD5
560cff6cd843ebf047d5658c882e04a0

SHA1
edada3d9b807b2bafd75c03a346c1fd9ed6d3401

SHA256
5e7429b0bf0c4b2d6bd0677a21f7c1432e36d7cef0979d9d2cd940283010a57f

SHA512
b5bcd6855e7facd5c217caf33595a709c940cba4a29438435498f79dc27add09e4663fc82dee0bb4fb472213df6edfa2aba8e8d5b27302b7b2fa22b9f70e7748

Download Submit
C:\Users\Admin\AppData\Local\Temp\be235e87-96eb-43ee-a6a1-d85ca5d59f06.vbs

Filesize
747B

MD5
7a4e8299f1046b944b591daa79890608

SHA1
25b6b5bbabeff80f187b741d004994d3bd005bc4

SHA256
59e51fb5890fb9a620be7d9be149cd271b298df97a84509705c070f077d93b87

SHA512
8f8908625a6399d45401bd4640d8463cedb1ac3870b4f45291676959318ec6875b98a65f77d799d8a73c80b7a5e25a48db3e5370563f4b9a63ae12577c66b479

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9c036ae-5dbc-42c1-a1a3-68dac4ecd62d.vbs

Filesize
747B

MD5
f4f91813eeb99da509b1d5cf3305c8f6

SHA1
652451fd59f87f93a044f76f1eec9e27d11acc1f

SHA256
9d704a0f751fd9478d3269c6ce8b5a4e506e11160c37904917bd0154d2bf1959

SHA512
dc66a14e9f7443557e3317d41966b6166f6ed2e0f80515b854c4817091e943f616fafac9058c88806e7fe07422d39b00dcc2b365294f78144861bcd47c0a5c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6859041-0437-42bf-a199-50f09214ac64.vbs

Filesize
747B

MD5
e1c643140cec46009c03c0f5c2d16804

SHA1
c8191425777dc7f53730948998b49e647027cae1

SHA256
d6005e31e9a2d6286221ba1d0487c005cd55e1259c76aa00b1ab508427a4be52

SHA512
64a38421569b531450ea801ca88adf3d15565410537447fbf1ba9e63299b27d12ecd543a5ac918da80a549beadd43acd8e9f37c39c3f0d2045f185974dec4165

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC16F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\wininit.exe

Filesize
4.9MB

MD5
d6c32cc92aff05247e665fec5d1ca5ed

SHA1
864e040db2c99477669bbe45261d8d93ebdba021

SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

Download Submit
memory/1556-450-0x000000001D100000-0x000000001D202000-memory.dmp

Filesize
1.0MB

Download
memory/2492-7-0x000000001B150000-0x000000001B160000-memory.dmp

Filesize
64KB

Download
memory/2492-3-0x000000001B370000-0x000000001B49E000-memory.dmp

Filesize
1.2MB

Download
memory/2492-11-0x000000001B310000-0x000000001B322000-memory.dmp

Filesize
72KB

Download
memory/2492-163-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-13-0x000000001B320000-0x000000001B32A000-memory.dmp

Filesize
40KB

Download
memory/2492-10-0x000000001B300000-0x000000001B30A000-memory.dmp

Filesize
40KB

Download
memory/2492-9-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/2492-8-0x000000001B2D0000-0x000000001B2E6000-memory.dmp

Filesize
88KB

Download
memory/2492-12-0x000000001C020000-0x000000001C548000-memory.dmp

Filesize
5.2MB

Download
memory/2492-6-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2492-5-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

Filesize
320KB

Download
memory/2492-4-0x000000001B2B0000-0x000000001B2CC000-memory.dmp

Filesize
112KB

Download
memory/2492-2-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-14-0x000000001B330000-0x000000001B33E000-memory.dmp

Filesize
56KB

Download
memory/2492-0-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

Filesize
8KB

Download
memory/2492-15-0x000000001B340000-0x000000001B34E000-memory.dmp

Filesize
56KB

Download
memory/2492-16-0x000000001B350000-0x000000001B358000-memory.dmp

Filesize
32KB

Download
memory/2492-17-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/2492-1-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2492-18-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/2676-552-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/3748-583-0x000000001B340000-0x000000001B352000-memory.dmp

Filesize
72KB

Download
memory/3768-401-0x0000000002E20000-0x0000000002E32000-memory.dmp

Filesize
72KB

Download
memory/3796-58-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4512-166-0x000000001C080000-0x000000001C092000-memory.dmp

Filesize
72KB

Download
memory/4736-65-0x000001FFA68D0000-0x000001FFA68F2000-memory.dmp

Filesize
136KB

Download