dcrat | 03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Size

1.5MB
MD5

809d07e665342266dbea6c6017c021f8
SHA1

4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1
SHA256

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26
SHA512

69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4664	schtasks.exe
		2372	schtasks.exe
		316	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9		03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
		2444	schtasks.exe
		3560	schtasks.exe
		1860	schtasks.exe
		4268	schtasks.exe
		4868	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\PerfLogs\\lsass.exe\", \"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\ngccredprov\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\PerfLogs\\lsass.exe\", \"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\ngccredprov\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Users\\All Users\\Start Menu\\taskhostw.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\PerfLogs\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\PerfLogs\\lsass.exe\", \"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\dllhost.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\PerfLogs\\lsass.exe\", \"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\ngccredprov\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2560	schtasks.exe	83

UAC bypass 3 TTPs 60 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
220	powershell.exe
1584	powershell.exe
4204	powershell.exe
2516	powershell.exe
2320	powershell.exe
3096	powershell.exe
4404	powershell.exe
668	powershell.exe
1176	powershell.exe
2544	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 19 IoCs

pid	Process
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
1660	csrss.exe
3472	csrss.exe
2004	csrss.exe
3272	csrss.exe
844	csrss.exe
4152	csrss.exe
1204	csrss.exe
3596	csrss.exe
2184	csrss.exe
4332	csrss.exe
4112	csrss.exe
4292	csrss.exe
4312	csrss.exe
5092	csrss.exe
4076	csrss.exe
2936	csrss.exe
3656	csrss.exe
4048	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\ngccredprov\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\ngccredprov\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\lsass.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Start Menu\\taskhostw.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Start Menu\\taskhostw.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks whether UAC is enabled 1 TTPs 40 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\Windows.Services.TargetedContent\9e8d7a4ca61bd9	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\ngccredprov\lsass.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\ngccredprov\6203df4a6bafc7	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\ngccredprov\lsass.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX7E0A.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\notepad\explorer.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\notepad\explorer.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\notepad\7a0fd90576e088	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\notepad\RCX82A0.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4664	schtasks.exe
2444	schtasks.exe
3560	schtasks.exe
1860	schtasks.exe
4268	schtasks.exe
2372	schtasks.exe
4868	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
4404	powershell.exe
220	powershell.exe
1584	powershell.exe
3096	powershell.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
4404	powershell.exe
220	powershell.exe
1584	powershell.exe
3096	powershell.exe
720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
4204	powershell.exe
2516	powershell.exe
2320	powershell.exe
2544	powershell.exe
668	powershell.exe
1176	powershell.exe
4204	powershell.exe
668	powershell.exe
2516	powershell.exe
2544	powershell.exe
1176	powershell.exe
2320	powershell.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1660	csrss.exe
Token: SeDebugPrivilege	3472	csrss.exe
Token: SeDebugPrivilege	2004	csrss.exe
Token: SeDebugPrivilege	3272	csrss.exe
Token: SeDebugPrivilege	844	csrss.exe
Token: SeDebugPrivilege	4152	csrss.exe
Token: SeDebugPrivilege	1204	csrss.exe
Token: SeDebugPrivilege	3596	csrss.exe
Token: SeDebugPrivilege	2184	csrss.exe
Token: SeDebugPrivilege	4332	csrss.exe
Token: SeDebugPrivilege	4112	csrss.exe
Token: SeDebugPrivilege	4292	csrss.exe
Token: SeDebugPrivilege	4312	csrss.exe
Token: SeDebugPrivilege	5092	csrss.exe
Token: SeDebugPrivilege	4076	csrss.exe
Token: SeDebugPrivilege	2936	csrss.exe
Token: SeDebugPrivilege	3656	csrss.exe
Token: SeDebugPrivilege	4048	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 220	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	88
PID 720 wrote to memory of 220	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	88
PID 720 wrote to memory of 1584	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	89
PID 720 wrote to memory of 1584	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	89
PID 720 wrote to memory of 3096	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	90
PID 720 wrote to memory of 3096	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	90
PID 720 wrote to memory of 4404	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	91
PID 720 wrote to memory of 4404	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	91
PID 720 wrote to memory of 3980	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	96
PID 720 wrote to memory of 3980	720	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	96
PID 3980 wrote to memory of 668	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	102
PID 3980 wrote to memory of 668	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	102
PID 3980 wrote to memory of 1176	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	103
PID 3980 wrote to memory of 1176	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	103
PID 3980 wrote to memory of 4204	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	104
PID 3980 wrote to memory of 4204	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	104
PID 3980 wrote to memory of 2544	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	105
PID 3980 wrote to memory of 2544	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	105
PID 3980 wrote to memory of 2516	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	106
PID 3980 wrote to memory of 2516	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	106
PID 3980 wrote to memory of 2320	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	107
PID 3980 wrote to memory of 2320	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	107
PID 3980 wrote to memory of 3560	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	114
PID 3980 wrote to memory of 3560	3980	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	114
PID 3560 wrote to memory of 3944	3560	cmd.exe	116
PID 3560 wrote to memory of 3944	3560	cmd.exe	116
PID 3560 wrote to memory of 1660	3560	cmd.exe	118
PID 3560 wrote to memory of 1660	3560	cmd.exe	118
PID 1660 wrote to memory of 4540	1660	csrss.exe	119
PID 1660 wrote to memory of 4540	1660	csrss.exe	119
PID 1660 wrote to memory of 3008	1660	csrss.exe	120
PID 1660 wrote to memory of 3008	1660	csrss.exe	120
PID 4540 wrote to memory of 3472	4540	WScript.exe	121
PID 4540 wrote to memory of 3472	4540	WScript.exe	121
PID 3472 wrote to memory of 1892	3472	csrss.exe	122
PID 3472 wrote to memory of 1892	3472	csrss.exe	122
PID 3472 wrote to memory of 636	3472	csrss.exe	123
PID 3472 wrote to memory of 636	3472	csrss.exe	123
PID 1892 wrote to memory of 2004	1892	WScript.exe	126
PID 1892 wrote to memory of 2004	1892	WScript.exe	126
PID 2004 wrote to memory of 2256	2004	csrss.exe	127
PID 2004 wrote to memory of 2256	2004	csrss.exe	127
PID 2004 wrote to memory of 4800	2004	csrss.exe	128
PID 2004 wrote to memory of 4800	2004	csrss.exe	128
PID 2256 wrote to memory of 3272	2256	WScript.exe	129
PID 2256 wrote to memory of 3272	2256	WScript.exe	129
PID 3272 wrote to memory of 4364	3272	csrss.exe	130
PID 3272 wrote to memory of 4364	3272	csrss.exe	130
PID 3272 wrote to memory of 4080	3272	csrss.exe	131
PID 3272 wrote to memory of 4080	3272	csrss.exe	131
PID 4364 wrote to memory of 844	4364	WScript.exe	132
PID 4364 wrote to memory of 844	4364	WScript.exe	132
PID 844 wrote to memory of 780	844	csrss.exe	133
PID 844 wrote to memory of 780	844	csrss.exe	133
PID 844 wrote to memory of 2248	844	csrss.exe	134
PID 844 wrote to memory of 2248	844	csrss.exe	134
PID 780 wrote to memory of 4152	780	WScript.exe	135
PID 780 wrote to memory of 4152	780	WScript.exe	135
PID 4152 wrote to memory of 4148	4152	csrss.exe	136
PID 4152 wrote to memory of 4148	4152	csrss.exe	136
PID 4152 wrote to memory of 4600	4152	csrss.exe	137
PID 4152 wrote to memory of 4600	4152	csrss.exe	137
PID 4148 wrote to memory of 1204	4148	WScript.exe	138
PID 4148 wrote to memory of 1204	4148	WScript.exe	138

System policy modification 1 TTPs 60 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
"C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\notepad\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
  "C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ngccredprov\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fN5PwV5jhF.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
      "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1660
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26252663-3174-41df-b988-f5dbeb91f711.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c701e7-250c-4ff6-ab62-2a3b6d000671.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b4261b0-ce07-46c2-ada2-de25ec42ae37.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c175b91-1dd3-42b2-b7d4-69c65e1f77fc.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cd190b9-0137-4556-8b87-23d9a42fb883.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9a38c5-8663-4352-ad6c-68dd56ddb95f.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8274ca48-051f-4746-8d6a-72d5c50659f2.vbs"
        17⤵
        
        PID:3208
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\025a9883-c803-4692-9464-48bc6793c96d.vbs"
        19⤵
        
        PID:3032
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9a0d54-5bf9-42b7-ad2b-bcc6154271ee.vbs"
        21⤵
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f863dfc-a464-4311-8f5d-f40e427c85eb.vbs"
        23⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d3bb9d0-77f7-48ca-9386-81d9e4691819.vbs"
        25⤵
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af95955f-c520-4c7e-8559-59bb2a1f0ed3.vbs"
        27⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e193f42b-f4b9-469c-b531-626a74a6d477.vbs"
        29⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66f3f3b-6e5f-464c-aa76-54922697fb4b.vbs"
        31⤵
        
        PID:4844
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f7a201-945a-4519-8f81-74a4d79b1487.vbs"
        33⤵
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f94ac71-4270-40b2-8a9b-420b0a5f8efa.vbs"
        35⤵
        
        PID:2444
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        36⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d26b7d23-34db-47a1-8265-eb171e0b6dfa.vbs"
        37⤵
        
        PID:4872
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe"
        38⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f13f126-9b2c-4426-bdb6-8114883e6b99.vbs"
        39⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97016926-b205-4263-896f-a96043d921d4.vbs"
        39⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ab2ecf9-060d-419a-8d1c-a547e7d804d2.vbs"
        37⤵
        
        PID:5052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe31d9b2-0631-47f5-aff7-f265580dc6dc.vbs"
        35⤵
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfe344e2-1b08-4d0c-956f-c36eb09160ba.vbs"
        33⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caba878a-927a-4e0c-be94-3e5c560974d6.vbs"
        31⤵
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35adf72-b159-4b4f-badc-f49d7e5d7612.vbs"
        29⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18b043ee-9612-45f7-830a-76b63c182cb6.vbs"
        27⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\108e7218-a49a-4b1e-895c-483aa66be8f6.vbs"
        25⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8bdd291-ab37-4eac-81ed-cf7312bcf9cd.vbs"
        23⤵
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bb2da68-41c2-42f4-b06d-225b80162d89.vbs"
        21⤵
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f36199-04ef-457f-ae78-b188ffe4bcb3.vbs"
        19⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47f76d6-d9ff-478c-876d-09c1d75d2f93.vbs"
        17⤵
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee06868f-d29f-4041-85ac-0ff12c38676f.vbs"
        15⤵
        
        PID:4600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98167ca5-bf77-46e9-bec8-34dbcc7138aa.vbs"
        13⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfe44559-6ceb-44e3-9543-1c8771757408.vbs"
        11⤵
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01299b9c-f345-4a91-951f-3377d66a7447.vbs"
        9⤵
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c832e518-a6f5-4fc7-93c0-a0fef7f4bce1.vbs"
        7⤵
        
        PID:636
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e45ed9cd-e0e5-4c98-8046-8947c7dacc29.vbs"
        5⤵
        
        PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\ngccredprov\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Filesize
1.5MB

MD5
809d07e665342266dbea6c6017c021f8

SHA1
4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1

SHA256
03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

SHA512
69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55e6a9f4123f5067a6e2283d4d90ed25

SHA1
4316c0e874b45b799af4007eda67d8d5c1c2536a

SHA256
2d10d657b62f0e0d34782f57d8ef95012b03ca977ae9002c28a9d884dcbc8a91

SHA512
767cfbe2b172f840f58f90116f353ec2009384ea24040c7b3d673f55d396ca64566b6433dcc39cbb67c992c945e9eb35948f154c1311779685405a33f25332dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0fd3f36f28a947bdd05f1e05acf24489

SHA1
cf12e091a80740df2201c5b47049dd231c530ad3

SHA256
d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

SHA512
5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\025a9883-c803-4692-9464-48bc6793c96d.vbs

Filesize
733B

MD5
5091519ffe5cad58e9eb6315b76d15a7

SHA1
20e88bc0886039436409e5d407d918198b108f0e

SHA256
2756fdedeef92097bf6f06c12dc0b04adbe20f066fd0a4a46571ddf91373818b

SHA512
f709f67d69d45673bdb01d0ce80dd94e8cc2633d32815fea6a41f44411ce8188c311fa64375236bd7e2352226acaf23f9cba3091089e4dfbcb3f7996b037c67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c175b91-1dd3-42b2-b7d4-69c65e1f77fc.vbs

Filesize
733B

MD5
f87005441c3a7466dd51b914a424d3c1

SHA1
f6909d2edd7037889967d97e6e7cd117551a2d86

SHA256
4210d06dd8f20d6be7b8b1966e8787ffef3b90ace5828b5635c78eae6f441fd7

SHA512
4f7677a013c1e88209382dec6f35d70788ea358bf79b014b1b34932f1dce293deac289b4c1ae0138ab5e660914da6e3289f5f0807d6ba76f63f7ef26b12d2631

Download Submit
C:\Users\Admin\AppData\Local\Temp\26252663-3174-41df-b988-f5dbeb91f711.vbs

Filesize
733B

MD5
d6ba89814738516d4283fd1381abf8a9

SHA1
a9d88683a018cb15da9362fbace1a9c14b8b5874

SHA256
9efdcc973807534be399bab22b93985dba98a38ced3c0b5dbb0bf9bc6f3aac38

SHA512
b95b000bc2bd6a23e1b579cd26de612ca54da6a1d11dfb45e04e1735f9f7a054298821167eae66ad2478d112b5a6f3cc0d75829a540886cd61d2b9e34f268cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f863dfc-a464-4311-8f5d-f40e427c85eb.vbs

Filesize
733B

MD5
266fb0e3395fa466546fd72d4e78583d

SHA1
9e0d15cdb557569465997e31d47285c60e8b7954

SHA256
cf515216393b58b00404f26abefe1441eec92366476fa17798a6ddc8c3bf3bd4

SHA512
1d3c1f3c01b9b6b6ccd481468d8a6873b09aa885d968b58ffe8b5cbc093bf1ebdba3f9d505cb8c3c05981620170472fe6bb19dd2b3159724ee6173455653984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\51c701e7-250c-4ff6-ab62-2a3b6d000671.vbs

Filesize
733B

MD5
92ebfe9d8ce65d867020b46fcabeb363

SHA1
3a1f16c4e07bbab56b5d6922c853990d39355761

SHA256
b863605421e8d17fc58fe2041abccb8c66433fa8d4ac9eea608f493b9c89b7d7

SHA512
37a1548d4810d8ce606d3def96e1da8cf3d71c71f5503c59490b170fc646a9bf0d0c5ab05200c293b26e63a9f753221e2791451109c973bac4cb9143fff3d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cd190b9-0137-4556-8b87-23d9a42fb883.vbs

Filesize
732B

MD5
2b3c43483dd1b4bdbcfc40d6f35e1c37

SHA1
03b7dca1e515fc2819d5f5d54b92426fa19935d8

SHA256
447580de1aedbe109b4bbf6efa158067059fca7b4065df0754f4e1cf5c005703

SHA512
ce5a270e77002c0b650eba5a10f91e42ce128fb65330f8a9a403bb43f0114855f94a4d63ae3ae235cedffb132c5475a0260462caf704fc400c8f20123c4af7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8274ca48-051f-4746-8d6a-72d5c50659f2.vbs

Filesize
733B

MD5
1c5dba49da534a03502e6ac5bf65d337

SHA1
e09a7a6d619bc720d278e6936cf54174f1400fcf

SHA256
207d012a24d3d42d8c9df22d88e92d79bf781778cdb884090f342119201f73fe

SHA512
5589ab568541ca2ba7a71353e37e99c8a529aeea9cbd9507e9fdf8e1cf1f1e007dba0226f2b2f9255c8adc0fa53748047818725a54e488b253a8c91d92f2b6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b4261b0-ce07-46c2-ada2-de25ec42ae37.vbs

Filesize
733B

MD5
5469a84748d53ea51d1f11ec99863b76

SHA1
20c3ec7d6ff5c023e6a10c7ae7aacd5d11eacb93

SHA256
214060107966f61638fb22732a276513292e9196fa910f861d2aade8e1f8318c

SHA512
c6607daa9ec4d7ed7cd61688a06a47027b15a07f50ee89fd957dcdee3943970badee6e69201be7a3bdcd5b33430f3ca1979c98a031651ead8ac27e9b3f533aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d3bb9d0-77f7-48ca-9386-81d9e4691819.vbs

Filesize
733B

MD5
9b3eda60a58adfa27936f27b3f98d4bf

SHA1
0bb9432a993aec1f708eb0f9ee40e561bc1075cc

SHA256
1908f33f8aa44f415ae4a17729012588db2b3d91e271de3bb3261b84817bd955

SHA512
2cb63b18fad89cc38a561aadc5ed15482206b50832a0047db65ab2305de44eeeb397625b5b7042bbf32314fbfce78133f35a627ddc470024c88d9a1a6378c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nl3bqk40.hlz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af95955f-c520-4c7e-8559-59bb2a1f0ed3.vbs

Filesize
733B

MD5
fa3b57268327763dc8ea21c2b7d3114f

SHA1
c4b0e4982ba8add65bdf123d9fc4695ca0f112c2

SHA256
1c146d82ac49e2d14127f2b445437dc3da4498fd894584eb578bd0865ba939c4

SHA512
8ee8b5b3f07b2ad593264e418c11f1451b7dd3a6afa6fe9e13cc3ef77323867463a31d98017f23eb5bd9742fc4dd1dbde6a8e00f5d34f72e32de0633a67879f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc9a38c5-8663-4352-ad6c-68dd56ddb95f.vbs

Filesize
733B

MD5
ff1f2b3efbdfcb323d43549ac6d88f6c

SHA1
dca08afe83e39cdacdec1b575bb6b8d692f6cf6b

SHA256
3b2ab9ba8f3f7709d2ea7d3e899e3b6ecad21b364279ec7ecfb18e11648e0f3f

SHA512
cddab46c0b67cc04a524f4c8dca9b36ca51c97a789d5b4ba56b01f68ea252ca7a928253f63f630868ee8f153f1a687614cf17713e4b690e543b9fdd120f3431f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e45ed9cd-e0e5-4c98-8046-8947c7dacc29.vbs

Filesize
509B

MD5
7c2af9f6c4599f6f95461a69b91521da

SHA1
201c9b6515bf5a13c1ae59f41182126f8ba0b7ff

SHA256
552408803c2101c1cc20f0e2d3ceb347c4a62b105ec8f51268a7447642c6215c

SHA512
089588b404712101af55fd6b6f051851848c1dc791cdfe715762977a1c1345ac0192125a97375228ef0aa4d1b2eb35dcd4cd8eacfd7dcb89566038ba06f110a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
504B

MD5
b9af32e99db1ae2d256dd2769ac0921a

SHA1
709b6ca0c8460c7ba35e76446cc56128e4fc0d22

SHA256
bb69289c116b34dc2c38b2946c712596bb2876e9aa58a478feb1332732a786b3

SHA512
00223e87aceb2984e8b9d9e75883c69a50332a9e866fef40aa6839cc2c117c3ef3716f3c0c1858962c492010cd22487f41f3f0b64065183981b17805e03e2f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fN5PwV5jhF.bat

Filesize
221B

MD5
1d1fcd1a15d7a20363c11aebe3f269a9

SHA1
225b1b709aa9a8011c6bc85454a1f318c393c99d

SHA256
e24990c626f2411c76f7d2336b4f54c8621c6bc1cdd9bcced46811cce603cdba

SHA512
09e88ed67edee1b94248c53723afac9e4f0e69cae3f2bb7f64723f4598dd182805fb4f25a1a538da6c8326d85e3ff4448532c58086ffa1ff5eeb9a529a76ddcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9a0d54-5bf9-42b7-ad2b-bcc6154271ee.vbs

Filesize
733B

MD5
fd855704b78df07a0255382312c8fbfa

SHA1
f507453ee0a596387b7d39cbedb0a96778049ae6

SHA256
7ef360eec42df0a21e6a274e81c7c5b422a346b181eecbd445a32e5d30fbe7be

SHA512
49ded8e2b8f885b980893429a56b963c19ca67729c172e66d343190eb255fe3fc1c09def947c47432f57cd1f714f7eeff282aa940f797ca9d15fa6c6b9500668

Download Submit
memory/720-3-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/720-4-0x000000001B390000-0x000000001B3A2000-memory.dmp

Filesize
72KB

Download
memory/720-13-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/720-12-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/720-11-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/720-17-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/720-10-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/720-14-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/720-9-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/720-8-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/720-7-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/720-6-0x000000001B3C0000-0x000000001B3CA000-memory.dmp

Filesize
40KB

Download
memory/720-16-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/720-5-0x000000001B3A0000-0x000000001B3AC000-memory.dmp

Filesize
48KB

Download
memory/720-34-0x00007FFFDD410000-0x00007FFFDDED1000-memory.dmp

Filesize
10.8MB

Download
memory/720-94-0x00007FFFDD410000-0x00007FFFDDED1000-memory.dmp

Filesize
10.8MB

Download
memory/720-0-0x00007FFFDD413000-0x00007FFFDD415000-memory.dmp

Filesize
8KB

Download
memory/720-25-0x00007FFFDD410000-0x00007FFFDDED1000-memory.dmp

Filesize
10.8MB

Download
memory/720-1-0x0000000000750000-0x00000000008CE000-memory.dmp

Filesize
1.5MB

Download
memory/720-15-0x000000001BBA0000-0x000000001BBAA000-memory.dmp

Filesize
40KB

Download
memory/720-18-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/720-24-0x00007FFFDD410000-0x00007FFFDDED1000-memory.dmp

Filesize
10.8MB

Download
memory/720-21-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/720-2-0x00007FFFDD410000-0x00007FFFDDED1000-memory.dmp

Filesize
10.8MB

Download
memory/720-20-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/844-248-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/1204-271-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/1660-201-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/2184-294-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/3272-236-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/4404-61-0x000001CF69950000-0x000001CF69972000-memory.dmp

Filesize
136KB

Download