dcrat | 4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Size

1.5MB
MD5

7286e4a519fddbf2d91caa5f98d8cef7
SHA1

411cbd512ec8d764bc5a2a45d96604eaf96500ec
SHA256

4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647
SHA512

ce72777c31b6fcaa36180e7651b87f66736c2b88a567daddb1cbb96c7221b338171c1d5e6e6bf89863406c3af5d63bf464b90c7876c2e0991ad2b81220a07aee
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4500	schtasks.exe
		3792	schtasks.exe
		2844	schtasks.exe
		4856	schtasks.exe
		1816	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0\\OfficeClickToRun.exe\", \"C:\\Windows\\HelpPane\\sysmon.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0\\OfficeClickToRun.exe\", \"C:\\Windows\\HelpPane\\sysmon.exe\", \"C:\\Windows\\System32\\X_80.contrast-black\\sihost.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4600	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4600	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4600	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4600	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4600	schtasks.exe	83

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4136	powershell.exe
1096	powershell.exe
468	powershell.exe
348	powershell.exe
1404	powershell.exe
2892	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 15 IoCs

pid	Process
2252	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
212	OfficeClickToRun.exe
2608	OfficeClickToRun.exe
1816	OfficeClickToRun.exe
1836	OfficeClickToRun.exe
2864	OfficeClickToRun.exe
2376	OfficeClickToRun.exe
1112	OfficeClickToRun.exe
456	OfficeClickToRun.exe
3204	OfficeClickToRun.exe
2912	OfficeClickToRun.exe
2696	OfficeClickToRun.exe
4940	OfficeClickToRun.exe
220	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\HelpPane\\sysmon.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\X_80.contrast-black\\sihost.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\HelpPane\\sysmon.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\X_80.contrast-black\\sihost.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\ProgramData\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\OfficeClickToRun.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\VideoLAN\\VLC\\plugins\\d3d9\\smss.exe\""	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\X_80.contrast-black\sihost.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Windows\System32\X_80.contrast-black\66fc9ff0ee96c2	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Windows\System32\X_80.contrast-black\RCX9986.tmp	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Windows\System32\X_80.contrast-black\sihost.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\smss.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\69ddcba757bf72	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\e6c9b481da804f	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\RCX929D.tmp	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\smss.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\RCX950F.tmp	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HelpPane\RCX9714.tmp	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File opened for modification	C:\Windows\HelpPane\sysmon.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Windows\HelpPane\sysmon.exe	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
File created	C:\Windows\HelpPane\121e5b5079f7c0	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4500	schtasks.exe
2844	schtasks.exe
4856	schtasks.exe
1816	schtasks.exe
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
1096	powershell.exe
468	powershell.exe
348	powershell.exe
4136	powershell.exe
1404	powershell.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
1404	powershell.exe
2892	powershell.exe
2892	powershell.exe
348	powershell.exe
468	powershell.exe
1096	powershell.exe
4136	powershell.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2252	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe
2284	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2252	OfficeClickToRun.exe
Token: SeDebugPrivilege	2284	OfficeClickToRun.exe
Token: SeDebugPrivilege	212	OfficeClickToRun.exe
Token: SeDebugPrivilege	2608	OfficeClickToRun.exe
Token: SeDebugPrivilege	1816	OfficeClickToRun.exe
Token: SeDebugPrivilege	1836	OfficeClickToRun.exe
Token: SeDebugPrivilege	2864	OfficeClickToRun.exe
Token: SeDebugPrivilege	2376	OfficeClickToRun.exe
Token: SeDebugPrivilege	1112	OfficeClickToRun.exe
Token: SeDebugPrivilege	456	OfficeClickToRun.exe
Token: SeDebugPrivilege	3204	OfficeClickToRun.exe
Token: SeDebugPrivilege	2912	OfficeClickToRun.exe
Token: SeDebugPrivilege	2696	OfficeClickToRun.exe
Token: SeDebugPrivilege	4940	OfficeClickToRun.exe
Token: SeDebugPrivilege	220	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2892	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	89
PID 4084 wrote to memory of 2892	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	89
PID 4084 wrote to memory of 4136	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	90
PID 4084 wrote to memory of 4136	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	90
PID 4084 wrote to memory of 1096	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	91
PID 4084 wrote to memory of 1096	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	91
PID 4084 wrote to memory of 468	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	92
PID 4084 wrote to memory of 468	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	92
PID 4084 wrote to memory of 348	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	93
PID 4084 wrote to memory of 348	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	93
PID 4084 wrote to memory of 1404	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	94
PID 4084 wrote to memory of 1404	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	94
PID 4084 wrote to memory of 2252	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	101
PID 4084 wrote to memory of 2252	4084	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe	101
PID 2252 wrote to memory of 1120	2252	OfficeClickToRun.exe	102
PID 2252 wrote to memory of 1120	2252	OfficeClickToRun.exe	102
PID 2252 wrote to memory of 3872	2252	OfficeClickToRun.exe	103
PID 2252 wrote to memory of 3872	2252	OfficeClickToRun.exe	103
PID 1120 wrote to memory of 2284	1120	WScript.exe	107
PID 1120 wrote to memory of 2284	1120	WScript.exe	107
PID 2284 wrote to memory of 2776	2284	OfficeClickToRun.exe	108
PID 2284 wrote to memory of 2776	2284	OfficeClickToRun.exe	108
PID 2284 wrote to memory of 1852	2284	OfficeClickToRun.exe	109
PID 2284 wrote to memory of 1852	2284	OfficeClickToRun.exe	109
PID 2776 wrote to memory of 212	2776	WScript.exe	113
PID 2776 wrote to memory of 212	2776	WScript.exe	113
PID 212 wrote to memory of 2988	212	OfficeClickToRun.exe	114
PID 212 wrote to memory of 2988	212	OfficeClickToRun.exe	114
PID 212 wrote to memory of 3836	212	OfficeClickToRun.exe	115
PID 212 wrote to memory of 3836	212	OfficeClickToRun.exe	115
PID 2988 wrote to memory of 2608	2988	WScript.exe	117
PID 2988 wrote to memory of 2608	2988	WScript.exe	117
PID 2608 wrote to memory of 1524	2608	OfficeClickToRun.exe	118
PID 2608 wrote to memory of 1524	2608	OfficeClickToRun.exe	118
PID 2608 wrote to memory of 2876	2608	OfficeClickToRun.exe	119
PID 2608 wrote to memory of 2876	2608	OfficeClickToRun.exe	119
PID 1524 wrote to memory of 1816	1524	WScript.exe	121
PID 1524 wrote to memory of 1816	1524	WScript.exe	121
PID 1816 wrote to memory of 816	1816	OfficeClickToRun.exe	122
PID 1816 wrote to memory of 816	1816	OfficeClickToRun.exe	122
PID 1816 wrote to memory of 1976	1816	OfficeClickToRun.exe	123
PID 1816 wrote to memory of 1976	1816	OfficeClickToRun.exe	123
PID 816 wrote to memory of 1836	816	WScript.exe	124
PID 816 wrote to memory of 1836	816	WScript.exe	124
PID 1836 wrote to memory of 4456	1836	OfficeClickToRun.exe	125
PID 1836 wrote to memory of 4456	1836	OfficeClickToRun.exe	125
PID 1836 wrote to memory of 2284	1836	OfficeClickToRun.exe	126
PID 1836 wrote to memory of 2284	1836	OfficeClickToRun.exe	126
PID 4456 wrote to memory of 2864	4456	WScript.exe	127
PID 4456 wrote to memory of 2864	4456	WScript.exe	127
PID 2864 wrote to memory of 3632	2864	OfficeClickToRun.exe	128
PID 2864 wrote to memory of 3632	2864	OfficeClickToRun.exe	128
PID 2864 wrote to memory of 1132	2864	OfficeClickToRun.exe	129
PID 2864 wrote to memory of 1132	2864	OfficeClickToRun.exe	129
PID 3632 wrote to memory of 2376	3632	WScript.exe	130
PID 3632 wrote to memory of 2376	3632	WScript.exe	130
PID 2376 wrote to memory of 4428	2376	OfficeClickToRun.exe	131
PID 2376 wrote to memory of 4428	2376	OfficeClickToRun.exe	131
PID 2376 wrote to memory of 2008	2376	OfficeClickToRun.exe	132
PID 2376 wrote to memory of 2008	2376	OfficeClickToRun.exe	132
PID 4428 wrote to memory of 1112	4428	WScript.exe	133
PID 4428 wrote to memory of 1112	4428	WScript.exe	133
PID 1112 wrote to memory of 4856	1112	OfficeClickToRun.exe	134
PID 1112 wrote to memory of 4856	1112	OfficeClickToRun.exe	134

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe
"C:\Users\Admin\AppData\Local\Temp\4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\d3d9\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\HelpPane\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\X_80.contrast-black\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
  "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\900cd97b-65d4-44bb-a58e-ecd2d5e5fb8b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
      "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2284
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36268bde-a113-4f7f-99b1-99868997aae0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f76ae66-33d5-4264-855b-85cd77f01965.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbab8db7-08e3-4845-9f37-3f1b57cd1e12.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\886c2f32-6435-4de5-952e-fd1698b81adf.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4127a7f-45d0-4177-b3d7-70fb7e7c2fc3.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def35dcb-ef4c-4e7f-9d28-7efb860f246d.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036670da-7225-4e5a-949c-d18f1fdc923b.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b1b836-fe64-4e94-b84d-c5dd396157a7.vbs"
        19⤵
        
        PID:4856
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3846c00b-0d79-4217-8b81-8ed7dd1111eb.vbs"
        21⤵
        
        PID:2860
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\828e31a4-b94a-44d7-b673-49005ee92363.vbs"
        23⤵
        
        PID:844
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\599ad793-e13d-4f30-a227-1d6e991d34fa.vbs"
        25⤵
        
        PID:872
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c20d082-26be-4e8e-9621-a5f48b7ef44e.vbs"
        27⤵
        
        PID:1404
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f685550-ef12-43ab-9ebb-5d4ffbb2a57f.vbs"
        29⤵
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1d90a2-43e3-4bb7-97fb-c92f873123dc.vbs"
        31⤵
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56d7c058-279a-45d1-858f-14ce4e8a14df.vbs"
        31⤵
        
        PID:116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f991383-eb92-46bf-933f-a59633153768.vbs"
        29⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5da79d8-7a4c-47ec-9989-0086249bc678.vbs"
        27⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76a74e23-0078-4ec7-af13-d6f76f4fbc6a.vbs"
        25⤵
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f068cba8-e0c1-402a-8fba-e6ada40f1b90.vbs"
        23⤵
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42cdba04-8584-437b-b5ba-36b3d6c70a6d.vbs"
        21⤵
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955feb3c-f8e0-4900-8ecb-ba2c98867c6e.vbs"
        19⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a7af6e-4028-432c-bb90-a2d9b10230dd.vbs"
        17⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2989630f-e8f8-4e99-b5cc-6ad212d019f9.vbs"
        15⤵
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc4833a3-8ca8-42f3-88d0-2d9a16ce1702.vbs"
        13⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ccbc6a1-6254-4c96-a4cb-0782868a1797.vbs"
        11⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f18665a-817e-4ade-9aeb-822594102fe4.vbs"
        9⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41af84f8-57f2-4667-b852-81c709e76de2.vbs"
        7⤵
        
        PID:3836
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c63a4904-2afe-40f1-bb67-99293753fb67.vbs"
        5⤵
        
        PID:1852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf7b0e2-ed2f-4db2-a07c-f6416537449b.vbs"
    3⤵
    PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d9\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\HelpPane\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\X_80.contrast-black\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\036670da-7225-4e5a-949c-d18f1fdc923b.vbs

Filesize
782B

MD5
2cb263bd594bd1da1630e7b1a2352bf6

SHA1
66c89a4c8567f73f2d84ff1f906f48e509102af3

SHA256
bd211622db190b274ab4596866ce570390d78205ec124782893c3f7c9cb01ab3

SHA512
a1d04d8a7d053376bbca8c16401c1b06758783633e0cd32fad6a36f02c1ea40c86363f8c41918521951f701ae0750d8bc0cfe22ada3779d2da123bf933c84c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cf7b0e2-ed2f-4db2-a07c-f6416537449b.vbs

Filesize
558B

MD5
f9e778bc6db41bd1361c86840aa85e9e

SHA1
36fe332d5cabffd0b4002dbeceea6804580dd927

SHA256
04a61d918e9695dda65c0404c6790925b14c737e83e47698d3a1ae1cc2fffaef

SHA512
155d739a25156097133f3e85d4230f71dec0f7f590ac71d33a4b84f7e37bf089fb61256e4c9aee70529ca77b21a2f829b97c7e43b906e8bcad7e5bccb3060e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f685550-ef12-43ab-9ebb-5d4ffbb2a57f.vbs

Filesize
782B

MD5
f2730eb2ff76baf6ee387dc2a7eb3ec7

SHA1
3161f612f8144517ebdb8c8d1be4095dd3871a32

SHA256
a2c31be104489380d325330c7aed38bea263d9d0215cb84549a80c7f6b6677ff

SHA512
a38ce6899d06aab6152e1a077be516068e627fd5953ccf654256e7b3816cc7b23499efc399c0a2427ed59e7429dde7dfe291d2705951e1086e6505f7165cc91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\36268bde-a113-4f7f-99b1-99868997aae0.vbs

Filesize
782B

MD5
d5e91e9e331838181ec89566f2207451

SHA1
dd14191298640016d524c7c7991f64ee938774ce

SHA256
6d28ac530ffab5d80e3ae58d934f922f9584ef1e6650580ee6e925af95513104

SHA512
4a4c5b34c29355161df135f436d627ad645d25ba89ba134824c8dbb6a628cdb62727702fe2aad99eae17844a80f22388d6b38afac572fee76f0183a7bdd5f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3846c00b-0d79-4217-8b81-8ed7dd1111eb.vbs

Filesize
781B

MD5
6a68d276556523b98d297d1de43b58cd

SHA1
25a940504f48fef503684445119815a5d7bd0bcf

SHA256
2d3c959416fdf0753097e3a2ab90d63fe68b978c0bc6292ccca2e6471532e5b0

SHA512
238c5557e90535d15467be7e3d16ab27e0221f2efb5e9bc34f636c2960e6e4b928de7a4c201964f02ce1388971770e39867a51419a7b55fba3cca3cab16bfde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f76ae66-33d5-4264-855b-85cd77f01965.vbs

Filesize
781B

MD5
b322acbf938f71eedb2d0b8068712498

SHA1
ce88160a51d895b1ba835ba880bf4b6527803826

SHA256
1f98877ee9c8ad4d5a73a443eb90671bad9e4f287400b619136f42e34f93b60f

SHA512
9ca990656d120f6e301e945b5d363d0f8acef3c4cc94014410767c6b88ce170cca37fbface3b0b5a5c370cec5db44272e3193c9aba266b7274b93a270e2fd331

Download Submit
C:\Users\Admin\AppData\Local\Temp\599ad793-e13d-4f30-a227-1d6e991d34fa.vbs

Filesize
782B

MD5
7e2a4045519155d84ae13bbf794db1b0

SHA1
d89c616312a6be512da4201a9fdcac584325c2da

SHA256
0b6f0ef15cf63f266d2d7280182c380432a0fe8aab2b6e870db43439a4b70c53

SHA512
5d8c62d066ab07df38624e982ba7b0bccb271d8e329d32490fb05a7fe4f223f0fefb56093563f0db2ccd803b6d6f9d859d16255da7f167d5865bf966dce5fabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c20d082-26be-4e8e-9621-a5f48b7ef44e.vbs

Filesize
782B

MD5
3a5adcf299156dcfe61272083cb089c0

SHA1
d5e181fded6218ed021430c1d1863f92675ffcaf

SHA256
c87808254d64ce9c6f6ffe81ca3d5d924705c29783195aeedcc6e50d4b39bf58

SHA512
6f964439a8cb69e2e1a1e0984f074c1e2ae110482a600514fe15af5e50d3729802409787804b2c8dcd89f4009f38239a1cc433112ec8ff7ba34d40677e220a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\828e31a4-b94a-44d7-b673-49005ee92363.vbs

Filesize
782B

MD5
2d8fd9974c29c66ce0b56707b93c3ae4

SHA1
bf6352a64091d89bef60a6efcc07823525136f4c

SHA256
d1cbcc530dce19c43a236859dfccea7020f3cb52f226e59672400ac0c9a89950

SHA512
dd571ed54ee0158e61f853c75dcf498933b632ddac0382e47c7b1f482aff67d66784f54aef3b256ffc46fbe2a568737d44652a012314d7ce88f8e6b19295bcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\886c2f32-6435-4de5-952e-fd1698b81adf.vbs

Filesize
782B

MD5
60e3ad11908f37f57e0d8c19e70fe7a4

SHA1
6da89a218da68234da4431885e4e044558eeccf9

SHA256
903d9722f5c825c29f2fe5c466a4da040a3148609391e171daaf1ec8b069333f

SHA512
e1dae4af89c2708d9e98beebd4e2a7c06a4d51d92c4bcfd3d4074610ea2eadd6078e0a4672d4e2e4878e624a997b10cb0c3342a83978fa9a342d46074ba994e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\900cd97b-65d4-44bb-a58e-ecd2d5e5fb8b.vbs

Filesize
782B

MD5
3e39fee1c50aff26ec0d60f4c539ebb4

SHA1
8d69728a5be94178b768d4bb337b808d0ad6c59b

SHA256
a46ba12ada5905764e1e6d964c9e4f0c8c0c27dd6df2e64bdd08a140576472d7

SHA512
e6dd6d626776c323d86d99c89a71a2a4a8257114f3333440661034195aefc4a5ba847e206eb639712a0c5befa8051beb043b051134c8fece7d94fd610f438a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgyxhtnc.afv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbab8db7-08e3-4845-9f37-3f1b57cd1e12.vbs

Filesize
782B

MD5
fbebc0a46f3bcf10f4b1168b538610b8

SHA1
708d7099894cd56d988f4aa507bad7af07204b33

SHA256
c766b5fb713877f39fb3ebc5a98c444fd9b9fd2cad870e67607d1eadf3a7eb04

SHA512
96f34ee797b8691356582859c0c83985b777c4b2d30137ce99671ecea46775e221b8a57c4626869c8ddff2488d6e084652248584501699373fa65dd3189bd44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4127a7f-45d0-4177-b3d7-70fb7e7c2fc3.vbs

Filesize
782B

MD5
be620878285920d9fba34ca938b1e7f1

SHA1
503b59f14eeba6bf2d6f60fd0c0e0080ee2829e9

SHA256
e77a5763b0cb5b1631e16cb786370b3a9a8cda526bfdd3e67d46cf6488f15470

SHA512
5dd30e951c943667080e1e448a8b46bd34d5c1434674db9898d0855655fb1abe3b8d91e73585c350d2066f5e0219addc76831cd267224260552e09aea9b1d1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7b1b836-fe64-4e94-b84d-c5dd396157a7.vbs

Filesize
782B

MD5
d9c66bd69082b7b7e4f91d0c1cf4f8c4

SHA1
a9913005730a10b2a8783210a6b7d5b00d54a1e4

SHA256
e7cf1e0793641ea3d1a52f0c24aaa92a49171073a0b37007df0ac631a2386914

SHA512
a8aa7e61e38153ee959b8a1f78f19c1a6c157d59ee65d1772a66eb9b35c68f72def6bbb707eb7f0c453f5efd9c9617bc1525e3064b2b7449f50163d1535c95d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\def35dcb-ef4c-4e7f-9d28-7efb860f246d.vbs

Filesize
782B

MD5
c80f49ef2801dbb0e5cd0a0d51ea918a

SHA1
f8b7fa314842705351edb9d7e08b6c244423f940

SHA256
79a2157adb41d534169ed7aa4c3ee16725d89476390e83fb57fdb97f888f1f4c

SHA512
4cf235bfde3f816688bf275206b755334752644d985863d131612f3993d7261fb17161590d115be38465d14dc5f1820f94f4c095942895a5bd6e3b2af510a134

Download Submit
C:\Windows\System32\X_80.contrast-black\sihost.exe

Filesize
1.5MB

MD5
7286e4a519fddbf2d91caa5f98d8cef7

SHA1
411cbd512ec8d764bc5a2a45d96604eaf96500ec

SHA256
4800dbbb6e40da258de5740143bf7da9f4e87f16737cebcea24aab26b341c647

SHA512
ce72777c31b6fcaa36180e7651b87f66736c2b88a567daddb1cbb96c7221b338171c1d5e6e6bf89863406c3af5d63bf464b90c7876c2e0991ad2b81220a07aee

Download Submit
memory/220-356-0x000000001B010000-0x000000001B022000-memory.dmp

Filesize
72KB

Download
memory/1096-126-0x000001CB6E0F0000-0x000001CB6E112000-memory.dmp

Filesize
136KB

Download
memory/1836-253-0x00000000029C0000-0x00000000029D2000-memory.dmp

Filesize
72KB

Download
memory/2696-333-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2864-265-0x0000000003140000-0x0000000003152000-memory.dmp

Filesize
72KB

Download
memory/3204-310-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-11-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/4084-9-0x000000001B380000-0x000000001B38C000-memory.dmp

Filesize
48KB

Download
memory/4084-17-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/4084-16-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/4084-15-0x000000001B3E0000-0x000000001B3EA000-memory.dmp

Filesize
40KB

Download
memory/4084-14-0x000000001B3D0000-0x000000001B3DC000-memory.dmp

Filesize
48KB

Download
memory/4084-13-0x000000001B3C0000-0x000000001B3CA000-memory.dmp

Filesize
40KB

Download
memory/4084-12-0x000000001B3B0000-0x000000001B3B8000-memory.dmp

Filesize
32KB

Download
memory/4084-24-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

Filesize
10.8MB

Download
memory/4084-10-0x000000001B390000-0x000000001B3A0000-memory.dmp

Filesize
64KB

Download
memory/4084-20-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/4084-18-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/4084-183-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

Filesize
10.8MB

Download
memory/4084-8-0x000000001B370000-0x000000001B378000-memory.dmp

Filesize
32KB

Download
memory/4084-7-0x000000001B360000-0x000000001B36C000-memory.dmp

Filesize
48KB

Download
memory/4084-6-0x0000000002B70000-0x0000000002B7A000-memory.dmp

Filesize
40KB

Download
memory/4084-5-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/4084-21-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

Filesize
32KB

Download
memory/4084-3-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/4084-4-0x0000000002B60000-0x0000000002B72000-memory.dmp

Filesize
72KB

Download
memory/4084-0-0x00007FFEAA393000-0x00007FFEAA395000-memory.dmp

Filesize
8KB

Download
memory/4084-2-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

Filesize
10.8MB

Download
memory/4084-1-0x00000000006B0000-0x000000000082E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-25-0x00007FFEAA390000-0x00007FFEAAE51000-memory.dmp

Filesize
10.8MB

Download