dcrat | cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Size

1.5MB
MD5

9e54b620ba5ba95578b28cf40ce2f690
SHA1

861c80cee6a1da4b207354fa67bf6d048e52cc1c
SHA256

cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b
SHA512

e77aae75f9d9dc2843ec3b0a0b8561acfc4ab873fcd91e8d73f01179a889c837229b1d0e05fc6f948355ac638429a8e0aec53a6aaecc0ccfa6a5562a5dd78c96
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3788	schtasks.exe
		4176	schtasks.exe
		2172	schtasks.exe
		1980	schtasks.exe
		4484	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Windows\System32\Windows.UI.Immersive\5940a34987c991		cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\", \"C:\\Users\\Public\\Desktop\\sppsvc.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\", \"C:\\Users\\Public\\Desktop\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0\\OfficeClickToRun.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\", \"C:\\Users\\Public\\Desktop\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0\\OfficeClickToRun.exe\", \"C:\\Windows\\addins\\SppExtComObj.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\", \"C:\\Users\\Public\\Desktop\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0\\OfficeClickToRun.exe\", \"C:\\Windows\\addins\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\it\\RuntimeBroker.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3676	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3676	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3676	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3676	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3676	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3624	powershell.exe
628	powershell.exe
2380	powershell.exe
1684	powershell.exe
396	powershell.exe
2920	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 13 IoCs

pid	Process
5076	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
4376	OfficeClickToRun.exe
3052	OfficeClickToRun.exe
1404	OfficeClickToRun.exe
4368	OfficeClickToRun.exe
2700	OfficeClickToRun.exe
1408	OfficeClickToRun.exe
3080	OfficeClickToRun.exe
1104	OfficeClickToRun.exe
3600	OfficeClickToRun.exe
436	OfficeClickToRun.exe
3248	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0\\OfficeClickToRun.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0\\OfficeClickToRun.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\it\\RuntimeBroker.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Desktop\\sppsvc.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Desktop\\sppsvc.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\addins\\SppExtComObj.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\addins\\SppExtComObj.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\it\\RuntimeBroker.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\Windows.UI.Immersive\\dllhost.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Windows.UI.Immersive\dllhost.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\System32\Windows.UI.Immersive\dllhost.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Windows\System32\Windows.UI.Immersive\5940a34987c991	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\System32\Windows.UI.Immersive\RCX8907.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\e6c9b481da804f	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RuntimeBroker.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\9e8d7a4ca61bd9	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\RCX8D10.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RCX9119.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RuntimeBroker.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\addins\SppExtComObj.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Windows\addins\e1ef82546f0b02	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\addins\RCX8F15.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\addins\SppExtComObj.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4176	schtasks.exe
2172	schtasks.exe
1980	schtasks.exe
3788	schtasks.exe
4484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
2920	powershell.exe
628	powershell.exe
396	powershell.exe
2380	powershell.exe
3624	powershell.exe
1684	powershell.exe
1684	powershell.exe
2920	powershell.exe
628	powershell.exe
2380	powershell.exe
396	powershell.exe
3624	powershell.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
5076	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe
2144	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	5076	OfficeClickToRun.exe
Token: SeDebugPrivilege	2144	OfficeClickToRun.exe
Token: SeDebugPrivilege	4376	OfficeClickToRun.exe
Token: SeDebugPrivilege	3052	OfficeClickToRun.exe
Token: SeDebugPrivilege	1404	OfficeClickToRun.exe
Token: SeDebugPrivilege	4368	OfficeClickToRun.exe
Token: SeDebugPrivilege	2700	OfficeClickToRun.exe
Token: SeDebugPrivilege	1408	OfficeClickToRun.exe
Token: SeDebugPrivilege	3080	OfficeClickToRun.exe
Token: SeDebugPrivilege	1104	OfficeClickToRun.exe
Token: SeDebugPrivilege	3600	OfficeClickToRun.exe
Token: SeDebugPrivilege	436	OfficeClickToRun.exe
Token: SeDebugPrivilege	3248	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 628	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	91
PID 4204 wrote to memory of 628	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	91
PID 4204 wrote to memory of 2380	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	92
PID 4204 wrote to memory of 2380	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	92
PID 4204 wrote to memory of 1684	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	93
PID 4204 wrote to memory of 1684	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	93
PID 4204 wrote to memory of 396	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	94
PID 4204 wrote to memory of 396	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	94
PID 4204 wrote to memory of 2920	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	95
PID 4204 wrote to memory of 2920	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	95
PID 4204 wrote to memory of 3624	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	96
PID 4204 wrote to memory of 3624	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	96
PID 4204 wrote to memory of 5116	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	102
PID 4204 wrote to memory of 5116	4204	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	102
PID 5116 wrote to memory of 2820	5116	cmd.exe	105
PID 5116 wrote to memory of 2820	5116	cmd.exe	105
PID 5116 wrote to memory of 5076	5116	cmd.exe	112
PID 5116 wrote to memory of 5076	5116	cmd.exe	112
PID 5076 wrote to memory of 2648	5076	OfficeClickToRun.exe	115
PID 5076 wrote to memory of 2648	5076	OfficeClickToRun.exe	115
PID 5076 wrote to memory of 1692	5076	OfficeClickToRun.exe	116
PID 5076 wrote to memory of 1692	5076	OfficeClickToRun.exe	116
PID 2648 wrote to memory of 2144	2648	WScript.exe	121
PID 2648 wrote to memory of 2144	2648	WScript.exe	121
PID 2144 wrote to memory of 4032	2144	OfficeClickToRun.exe	122
PID 2144 wrote to memory of 4032	2144	OfficeClickToRun.exe	122
PID 2144 wrote to memory of 2352	2144	OfficeClickToRun.exe	123
PID 2144 wrote to memory of 2352	2144	OfficeClickToRun.exe	123
PID 4032 wrote to memory of 4376	4032	WScript.exe	124
PID 4032 wrote to memory of 4376	4032	WScript.exe	124
PID 4376 wrote to memory of 4576	4376	OfficeClickToRun.exe	125
PID 4376 wrote to memory of 4576	4376	OfficeClickToRun.exe	125
PID 4376 wrote to memory of 3552	4376	OfficeClickToRun.exe	126
PID 4376 wrote to memory of 3552	4376	OfficeClickToRun.exe	126
PID 4576 wrote to memory of 3052	4576	WScript.exe	130
PID 4576 wrote to memory of 3052	4576	WScript.exe	130
PID 3052 wrote to memory of 3316	3052	OfficeClickToRun.exe	131
PID 3052 wrote to memory of 3316	3052	OfficeClickToRun.exe	131
PID 3052 wrote to memory of 3312	3052	OfficeClickToRun.exe	132
PID 3052 wrote to memory of 3312	3052	OfficeClickToRun.exe	132
PID 3316 wrote to memory of 1404	3316	WScript.exe	133
PID 3316 wrote to memory of 1404	3316	WScript.exe	133
PID 1404 wrote to memory of 3336	1404	OfficeClickToRun.exe	134
PID 1404 wrote to memory of 3336	1404	OfficeClickToRun.exe	134
PID 1404 wrote to memory of 2680	1404	OfficeClickToRun.exe	135
PID 1404 wrote to memory of 2680	1404	OfficeClickToRun.exe	135
PID 3336 wrote to memory of 4368	3336	WScript.exe	136
PID 3336 wrote to memory of 4368	3336	WScript.exe	136
PID 4368 wrote to memory of 2052	4368	OfficeClickToRun.exe	137
PID 4368 wrote to memory of 2052	4368	OfficeClickToRun.exe	137
PID 4368 wrote to memory of 4428	4368	OfficeClickToRun.exe	138
PID 4368 wrote to memory of 4428	4368	OfficeClickToRun.exe	138
PID 2052 wrote to memory of 2700	2052	WScript.exe	139
PID 2052 wrote to memory of 2700	2052	WScript.exe	139
PID 2700 wrote to memory of 536	2700	OfficeClickToRun.exe	140
PID 2700 wrote to memory of 536	2700	OfficeClickToRun.exe	140
PID 2700 wrote to memory of 3488	2700	OfficeClickToRun.exe	141
PID 2700 wrote to memory of 3488	2700	OfficeClickToRun.exe	141
PID 536 wrote to memory of 1408	536	WScript.exe	142
PID 536 wrote to memory of 1408	536	WScript.exe	142
PID 1408 wrote to memory of 3228	1408	OfficeClickToRun.exe	143
PID 1408 wrote to memory of 3228	1408	OfficeClickToRun.exe	143
PID 1408 wrote to memory of 2900	1408	OfficeClickToRun.exe	144
PID 1408 wrote to memory of 2900	1408	OfficeClickToRun.exe	144

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.UI.Immersive\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XC6PrhVzR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2820
- - C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
    "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5076
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e827b4fe-ed93-49df-9cf2-a58b9a95b755.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2144
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b9e8aa8-cb14-4234-81a1-849afab46871.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86a94ec7-8a48-485f-8482-abf84c079e8c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68094799-f19b-41c5-9c38-5f32f1f44474.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70387004-ede0-4ef9-93eb-a6610e9d139f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70ee47be-1636-4e3a-8b34-b2f83f899995.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba3ff52-ac9e-4dc8-8195-dc1686e452c1.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da562112-94b1-41b6-b4ab-28a5ed36b47f.vbs"
        18⤵
        
        PID:3228
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3e99c5a-b6a1-4572-b7fe-44de54928b10.vbs"
        20⤵
        
        PID:2732
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5737dd9f-f44d-4c8c-b044-05e8a873d88a.vbs"
        22⤵
        
        PID:2912
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19abdefa-1be7-4aa2-9aea-ec50e04b98ff.vbs"
        24⤵
        
        PID:3124
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\717ee19f-edc6-4859-a28b-d1c58becaa15.vbs"
        26⤵
        
        PID:3576
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\591e4a47-217b-445c-9874-324cb3074d4c.vbs"
        28⤵
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b133b02c-b7ac-4d28-9f01-a2d337219e6d.vbs"
        28⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43506b6f-7f10-464c-984c-aed4eed1a607.vbs"
        26⤵
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f803784-0085-4ee7-b7ab-ccd897d3dc06.vbs"
        24⤵
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e25bfb1-78b1-4255-b688-b4347dd5952a.vbs"
        22⤵
        
        PID:3504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a3f32ce-f587-4902-bc9b-4053c915b064.vbs"
        20⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2b137c8-27af-4e66-97e7-ffc1704abec2.vbs"
        18⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce8f004c-6861-4afb-9ef5-f205e3172c44.vbs"
        16⤵
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0138a4df-8657-447d-a89c-9fb15a4521cd.vbs"
        14⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2195b89e-249d-4c70-8356-38c574dc28b8.vbs"
        12⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0180c04-7bfe-4036-8023-4259faf905d2.vbs"
        10⤵
        
        PID:3312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bd20cfa-cb12-4597-8d15-bf78881064c4.vbs"
        8⤵
        
        PID:3552
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4a265b-4365-4e4d-824b-401dfe18a285.vbs"
        6⤵
        
        PID:2352
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1198cc7c-9aa9-4ffe-b9c7-a82c0cbf7df8.vbs"
      4⤵
      PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.UI.Immersive\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\addins\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\RuntimeBroker.exe

Filesize
1.5MB

MD5
9e54b620ba5ba95578b28cf40ce2f690

SHA1
861c80cee6a1da4b207354fa67bf6d048e52cc1c

SHA256
cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b

SHA512
e77aae75f9d9dc2843ec3b0a0b8561acfc4ab873fcd91e8d73f01179a889c837229b1d0e05fc6f948355ac638429a8e0aec53a6aaecc0ccfa6a5562a5dd78c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\1198cc7c-9aa9-4ffe-b9c7-a82c0cbf7df8.vbs

Filesize
560B

MD5
ba3821c439415075b611a8911ca8f5a2

SHA1
9e0cc3a395482691e926dd73160e22777927fac4

SHA256
923b0236e836bee1d049ac0edd17e333d43fbcba91e73077a0afce77e953f7c5

SHA512
f1ac7cb838508d1f2fa05bc556940fd915d631bfd5b4b810a5db2f08bae46b40c7e0e4c85223af0dff647aa44feb5247718934f0662f79b6fdd5cba9231cef5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\19abdefa-1be7-4aa2-9aea-ec50e04b98ff.vbs

Filesize
784B

MD5
a498149831ec2b551d4dbf1235fe3e5f

SHA1
6ff65508117b91215c8853c990d1e3dad0301852

SHA256
06f80324c31db20948ee24edf6fd71ea5fcb90e3d25713ee74d5aa624c1f4b17

SHA512
c707a1e18f3de6cca9d3cca2ac00659036a38977041569fe7b992e19bcbbef0ba1e78429b4d245c6ee33d79a6727c858c10863373e749b4af7c177e7460d38f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2XC6PrhVzR.bat

Filesize
272B

MD5
611e5867b715a051b3d5a16762b7ce28

SHA1
7abf14fa1b822358b760ab03963a53acf1f9ce34

SHA256
df3856c402fa1028aa8300ec4f0417e8688768deb4569ed447125e4207e08fb0

SHA512
3f7b070e01b79c182c58f148ceb28f98aceffd7938e75d1179717831849df1a27961657a1c73646987221acf8e3041fbb2ad7f3deea3d4d46cde839ab82ccbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5737dd9f-f44d-4c8c-b044-05e8a873d88a.vbs

Filesize
784B

MD5
8dbfaa09a29e7dcc7c97b79efb9f3e2f

SHA1
13907f5e1052e18bf328369676045561bba0b762

SHA256
d616613b068e5bf7aa85b2fb89d59bcf559072a1e8694010c6068e1ae137449b

SHA512
7b3b22c2599b2ada34569ba1b27dc0e3d5b2614a83a1c1cf40b44782c89fcb3e908c17637ce087f0088a47a5c01bbda973a986292b623da9b0e11e3f8354a62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\591e4a47-217b-445c-9874-324cb3074d4c.vbs

Filesize
784B

MD5
74bc0ceefbd551f6500934bb1761e22e

SHA1
f810dbffc1135f590651d482fe98178528d317e3

SHA256
b8fb91292132dd59775c4c5c547a47bc4f3af9d7d9596039119b9c412839f61b

SHA512
c36471738679d7886783c81261f7eda98ce2e1e9f33f630b10c1edad77299809d388360cf5bb6705e0eb6ee3cb3ad522b38dcb57662f95c3603db0b53c41281e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68094799-f19b-41c5-9c38-5f32f1f44474.vbs

Filesize
784B

MD5
8b9179213e33a93b1a2b4ca443fe128a

SHA1
05fc8efe06fa0faaa452f3aa6f9ec7e46f307108

SHA256
e4cfe3b8d25ad0e7b2670e6238e1749648747019fa3415ad45a8b55a710c2ea7

SHA512
7bb83183c6b87f65f74c4d93b7dde401bd6e510b769fe302fbcb0261f598cb4f1b609409de7c655b13a9f45fec6ca7e6240f3769d76431c22b222766eb9a3dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\70387004-ede0-4ef9-93eb-a6610e9d139f.vbs

Filesize
784B

MD5
87be453486061918216a165c5eedc071

SHA1
d778f9db68aa740589ef483e411de54ab6f4253f

SHA256
4f641992884f87a41fe7f9a80a76a0065b7dbc3eac96662908fc31b168d5b3a8

SHA512
adc897dbd6c8fb87f83ba1dcc3bc42fa0dc02e34fa38bc99c41c7982e55a48ce680ef1d7c08801a31eb9dcb83a64c24d8aa54b08cff403fdb5de524168ac0e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\70ee47be-1636-4e3a-8b34-b2f83f899995.vbs

Filesize
784B

MD5
eb697e0704a9d04d74ea1fa1f9073a01

SHA1
2eca621bfb7d5fe9c60a5d7b85993ae308073a62

SHA256
e2cccf9fbe1b26e7ce1d9ec56d211d0ae793f7973ceda32bab9d1255c16819e5

SHA512
47253a1a0f30e9847d8aed534bc20febb95c64a2cc3bfd10e48c9a1f49d13881e7898672276feaa3834b87eaf68d10fd9c602b6533a01a6fa1aebddabcf159b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\717ee19f-edc6-4859-a28b-d1c58becaa15.vbs

Filesize
783B

MD5
6cd079e316f5231b56bb116acf272ffa

SHA1
849ac9cebcfe03d286577f694d39e22bccfb1652

SHA256
e9c4cc037c1bca1c8950444cb36837c6420b8d0afb3dd08c49f965e38475f831

SHA512
36cc8a0f14db3ac10fd5540a6eeb3b797bd767f7b338b619277700c8c1bacddaa4176d2fc34b79c8510c03821f69503ebcdccc0cc36fd566f6d779167adb38d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b9e8aa8-cb14-4234-81a1-849afab46871.vbs

Filesize
784B

MD5
16cb831ad7dbf48c0299fbc4d566545a

SHA1
d5f9827aa9cadcd7d56960629be39196a9cf76e3

SHA256
42be84d974fd05ed9caebc53cca962359de37bfd3327254f62f49ebb0adc1abf

SHA512
1c51cefebbade0e73d35b26605c1210dfcffba0b06139992d0f2215d8ccdc3f40ae137ba3b0e291b1f6b31af2bdd46a3a97727e969d50ed2fce2cc02cc2146b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\86a94ec7-8a48-485f-8482-abf84c079e8c.vbs

Filesize
784B

MD5
b52d3ec4e3aa439bf7896eeb6c433d1b

SHA1
ffdd1051d0518eee1eeb01078c340593caff7ba7

SHA256
9465976914a6dd74d037c7681bef61042d21ab7bf16f1bbb70b1e3ae00bc0ba7

SHA512
33e518ddc96dc640e9e0e3a9f86cd1b3813691d3035435df0bcb5e118539c14b1b6bc85727474740d6c42d27867f6984506a9c1df4a926df3ad7297eb8a0bf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idbrkk0k.pri.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aba3ff52-ac9e-4dc8-8195-dc1686e452c1.vbs

Filesize
784B

MD5
528d9d79378b45755628a3224c9a6b2c

SHA1
ee7fe43dd0c93ad83e627f5f9b441a89e9dd98ab

SHA256
8e2c387ea9ec58aabf917cd366fbf96bbf93f7c991a907db7cb4c238740f4c12

SHA512
f15d8c0909a01ffee8dff1e09c4c83c94cfb42bb38b6c8ba17731f80d5477631a9bdc2fe185028e8916f9f95ba9d6166ece60717873b6f2ce86b0ac66d1217fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3e99c5a-b6a1-4572-b7fe-44de54928b10.vbs

Filesize
784B

MD5
7157684c677953a079ab2f9192fa15eb

SHA1
30cf4b6b39036ac605fa6cbe7d61d655a84925a3

SHA256
c4926437ac4c1d5db0650dc8e6b08bc045edc919ffd83c8dbd62a1eebc7c3b54

SHA512
a97817736607582c745211394e8b587cfa1b18a04bd9074115582ead388d34473803fdbb59dbc3b400d9118ffb85153e5c5564718819a2421418c53701813213

Download Submit
C:\Users\Admin\AppData\Local\Temp\da562112-94b1-41b6-b4ab-28a5ed36b47f.vbs

Filesize
784B

MD5
f8a4e43c34f796fe16a47f10e5073c78

SHA1
25af6f9aef4c09d0a4a283c5cdfec11dbe2b7317

SHA256
362eebfee88300c0f5999f2f2a30382590f7f9e396e11b3338b00beca75e2b7f

SHA512
4dcaf176608ee761b9066bdc17ddc15644e58dcfbf7355181b218edd70db32ba8bbaee720b74aa6340da76a0c6a4dcfde60a824769d544b58b40002921c371b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e827b4fe-ed93-49df-9cf2-a58b9a95b755.vbs

Filesize
784B

MD5
c5b08b4b0b9eebfc19f10721fae80483

SHA1
1aad55e62fafd520169bcfc946cbd77553b88a06

SHA256
c17e42ab6d75f0f5daeea5d4f49b3f3ab8c81c4bedae9c5d814cff57163dc581

SHA512
a3f816420cb3b16d70a90ad36a35f26a971542cd6e4c49fd1159ab83aeca2ddaeff1973c38b7d680d3298b2816d8ed5feb4321c2353c5bf2c5604901e0a22b96

Download Submit
memory/436-278-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/2144-163-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/2700-221-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2920-86-0x000002AA480D0000-0x000002AA480F2000-memory.dmp

Filesize
136KB

Download
memory/3052-187-0x000000001B300000-0x000000001B312000-memory.dmp

Filesize
72KB

Download
memory/3080-244-0x0000000002F90000-0x0000000002FA2000-memory.dmp

Filesize
72KB

Download
memory/4204-16-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/4204-7-0x000000001B830000-0x000000001B83C000-memory.dmp

Filesize
48KB

Download
memory/4204-12-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/4204-11-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/4204-1-0x0000000000450000-0x00000000005CE000-memory.dmp

Filesize
1.5MB

Download
memory/4204-14-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/4204-10-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/4204-9-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/4204-15-0x000000001B8B0000-0x000000001B8BA000-memory.dmp

Filesize
40KB

Download
memory/4204-8-0x000000001B840000-0x000000001B848000-memory.dmp

Filesize
32KB

Download
memory/4204-2-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-0-0x00007FFD41BF3000-0x00007FFD41BF5000-memory.dmp

Filesize
8KB

Download
memory/4204-20-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/4204-13-0x000000001B890000-0x000000001B89A000-memory.dmp

Filesize
40KB

Download
memory/4204-6-0x000000001B810000-0x000000001B81A000-memory.dmp

Filesize
40KB

Download
memory/4204-5-0x000000001B820000-0x000000001B82C000-memory.dmp

Filesize
48KB

Download
memory/4204-17-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/4204-96-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-18-0x000000001B8E0000-0x000000001B8E8000-memory.dmp

Filesize
32KB

Download
memory/4204-25-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-24-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-3-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/4204-4-0x0000000002760000-0x0000000002772000-memory.dmp

Filesize
72KB

Download
memory/4204-21-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/4376-175-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/5076-150-0x0000000001660000-0x0000000001672000-memory.dmp

Filesize
72KB

Download