dcrat | ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Size

1.5MB
MD5

8b94c19be340bab63211bf41f8cff84a
SHA1

3b11722edb38d3303fd7f55007750c8567b2bf85
SHA256

ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8
SHA512

2df90061b7ccfc658736807ed7b89b568ad790ca83748fbe07e659d31916c480f8892fab3a72d42674877e1dec8de6583f3b9e5643785b582bceb2b348f82959
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR6:EzhWhCXQFN+0IEuQgyiVKS

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1928	schtasks.exe
		4680	schtasks.exe
		4908	schtasks.exe
		3640	schtasks.exe
		3260	schtasks.exe
		3168	schtasks.exe
		3212	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
		3660	schtasks.exe
		4008	schtasks.exe
		4796	schtasks.exe
		1520	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Registry.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\1.3.147.37\\spoolsv.exe\", \"C:\\Users\\Admin\\OneDrive\\TextInputHost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\1.3.147.37\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2452	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe
3404	powershell.exe
2004	powershell.exe
1848	powershell.exe
5016	powershell.exe
4332	powershell.exe
1064	powershell.exe
1720	powershell.exe
1792	powershell.exe
4912	powershell.exe
3236	powershell.exe
2992	powershell.exe
1492	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 13 IoCs

pid	Process
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
2860	unsecapp.exe
2412	unsecapp.exe
2024	unsecapp.exe
2900	unsecapp.exe
2804	unsecapp.exe
932	unsecapp.exe
4036	unsecapp.exe
684	unsecapp.exe
4252	unsecapp.exe
2892	unsecapp.exe
3352	unsecapp.exe
208	unsecapp.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Registry.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\portabledevicetypes\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\SoftwareDistribution\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Registry.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\1.3.147.37\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\OneDrive\\TextInputHost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Admin\\OneDrive\\TextInputHost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\1.3.147.37\\spoolsv.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\Windows.Shell.ServiceHostBuilder\\fontdrvhost.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\cmmon32\\RuntimeBroker.exe\""	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\portabledevicetypes\29c1c3cc0f7685	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Windows\System32\Windows.Shell.ServiceHostBuilder\fontdrvhost.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Windows\System32\wbem\portabledevicetypes\RCXDC8A.tmp	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Windows\System32\cmmon32\9e8d7a4ca61bd9	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Windows\System32\cmmon32\RuntimeBroker.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Windows\System32\Windows.Shell.ServiceHostBuilder\fontdrvhost.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Windows\System32\Windows.Shell.ServiceHostBuilder\5b884080fd4f94	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Windows\System32\cmmon32\RuntimeBroker.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Windows\System32\Windows.Shell.ServiceHostBuilder\RCXDA85.tmp	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\spoolsv.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Program Files (x86)\Windows Mail\upfc.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Program Files (x86)\Windows Mail\ea1d8f6d871115	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD5FF.tmp	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\upfc.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\spoolsv.exe	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\f3b6ecef712a24	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
1928	schtasks.exe
4680	schtasks.exe
4908	schtasks.exe
3660	schtasks.exe
3260	schtasks.exe
3168	schtasks.exe
4008	schtasks.exe
3640	schtasks.exe
3212	schtasks.exe
4796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
4912	powershell.exe
2004	powershell.exe
3404	powershell.exe
1720	powershell.exe
1792	powershell.exe
4476	powershell.exe
1792	powershell.exe
1720	powershell.exe
3404	powershell.exe
2004	powershell.exe
4912	powershell.exe
4476	powershell.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
3236	powershell.exe
3236	powershell.exe
4332	powershell.exe
4332	powershell.exe
2992	powershell.exe
2992	powershell.exe
1064	powershell.exe
1848	powershell.exe
1848	powershell.exe
1064	powershell.exe
5016	powershell.exe
5016	powershell.exe
1492	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2860	unsecapp.exe
Token: SeDebugPrivilege	2412	unsecapp.exe
Token: SeDebugPrivilege	2024	unsecapp.exe
Token: SeDebugPrivilege	2900	unsecapp.exe
Token: SeDebugPrivilege	2804	unsecapp.exe
Token: SeDebugPrivilege	932	unsecapp.exe
Token: SeDebugPrivilege	4036	unsecapp.exe
Token: SeDebugPrivilege	684	unsecapp.exe
Token: SeDebugPrivilege	4252	unsecapp.exe
Token: SeDebugPrivilege	2892	unsecapp.exe
Token: SeDebugPrivilege	3352	unsecapp.exe
Token: SeDebugPrivilege	208	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1720	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	89
PID 1148 wrote to memory of 1720	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	89
PID 1148 wrote to memory of 1792	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	90
PID 1148 wrote to memory of 1792	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	90
PID 1148 wrote to memory of 4476	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	91
PID 1148 wrote to memory of 4476	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	91
PID 1148 wrote to memory of 4912	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	92
PID 1148 wrote to memory of 4912	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	92
PID 1148 wrote to memory of 3404	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	93
PID 1148 wrote to memory of 3404	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	93
PID 1148 wrote to memory of 2004	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	94
PID 1148 wrote to memory of 2004	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	94
PID 1148 wrote to memory of 5024	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	101
PID 1148 wrote to memory of 5024	1148	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	101
PID 5024 wrote to memory of 1800	5024	cmd.exe	103
PID 5024 wrote to memory of 1800	5024	cmd.exe	103
PID 5024 wrote to memory of 1664	5024	cmd.exe	110
PID 5024 wrote to memory of 1664	5024	cmd.exe	110
PID 1664 wrote to memory of 1848	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	123
PID 1664 wrote to memory of 1848	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	123
PID 1664 wrote to memory of 5016	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	124
PID 1664 wrote to memory of 5016	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	124
PID 1664 wrote to memory of 3236	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	125
PID 1664 wrote to memory of 3236	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	125
PID 1664 wrote to memory of 4332	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	126
PID 1664 wrote to memory of 4332	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	126
PID 1664 wrote to memory of 2992	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	127
PID 1664 wrote to memory of 2992	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	127
PID 1664 wrote to memory of 1064	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	128
PID 1664 wrote to memory of 1064	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	128
PID 1664 wrote to memory of 1492	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	129
PID 1664 wrote to memory of 1492	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	129
PID 1664 wrote to memory of 60	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	137
PID 1664 wrote to memory of 60	1664	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe	137
PID 60 wrote to memory of 4624	60	cmd.exe	139
PID 60 wrote to memory of 4624	60	cmd.exe	139
PID 60 wrote to memory of 2860	60	cmd.exe	141
PID 60 wrote to memory of 2860	60	cmd.exe	141
PID 2860 wrote to memory of 4072	2860	unsecapp.exe	142
PID 2860 wrote to memory of 4072	2860	unsecapp.exe	142
PID 2860 wrote to memory of 1504	2860	unsecapp.exe	143
PID 2860 wrote to memory of 1504	2860	unsecapp.exe	143
PID 4072 wrote to memory of 2412	4072	WScript.exe	146
PID 4072 wrote to memory of 2412	4072	WScript.exe	146
PID 2412 wrote to memory of 1936	2412	unsecapp.exe	147
PID 2412 wrote to memory of 1936	2412	unsecapp.exe	147
PID 2412 wrote to memory of 1712	2412	unsecapp.exe	148
PID 2412 wrote to memory of 1712	2412	unsecapp.exe	148
PID 1936 wrote to memory of 2024	1936	WScript.exe	150
PID 1936 wrote to memory of 2024	1936	WScript.exe	150
PID 2024 wrote to memory of 2528	2024	unsecapp.exe	151
PID 2024 wrote to memory of 2528	2024	unsecapp.exe	151
PID 2024 wrote to memory of 2348	2024	unsecapp.exe	152
PID 2024 wrote to memory of 2348	2024	unsecapp.exe	152
PID 2528 wrote to memory of 2900	2528	WScript.exe	153
PID 2528 wrote to memory of 2900	2528	WScript.exe	153
PID 2900 wrote to memory of 1552	2900	unsecapp.exe	154
PID 2900 wrote to memory of 1552	2900	unsecapp.exe	154
PID 2900 wrote to memory of 1680	2900	unsecapp.exe	155
PID 2900 wrote to memory of 1680	2900	unsecapp.exe	155
PID 1552 wrote to memory of 2804	1552	WScript.exe	157
PID 1552 wrote to memory of 2804	1552	WScript.exe	157
PID 2804 wrote to memory of 2436	2804	unsecapp.exe	158
PID 2804 wrote to memory of 2436	2804	unsecapp.exe	158

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
"C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Shell.ServiceHostBuilder\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMVBcLz2S0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe
    "C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\cmmon32\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Registry.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\TextInputHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bVbe0B3IxC.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4624
    - - C:\Recovery\WindowsRE\unsecapp.exe
        
        "C:\Recovery\WindowsRE\unsecapp.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2860
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90969d3e-14f9-4d03-a5e5-2a5b425059bf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e77781fa-e49a-4c81-93d6-77ca3e757448.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c22a9e-e29f-4b26-8130-a208edf5527f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5832dd-79a3-4d83-ba0c-5584e934f9af.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4974fc7b-4a9b-494d-90b5-c7798c0ce0d0.vbs"
        14⤵
        
        PID:2436
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4967445a-6cc1-49ee-8c6b-d92a40433fcc.vbs"
        16⤵
        
        PID:856
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feb48490-eb13-4c53-9202-cddb9be16be8.vbs"
        18⤵
        
        PID:4508
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfea3785-c05c-47cc-86b2-225d215bc65e.vbs"
        20⤵
        
        PID:4740
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b6405ec-9c2a-4d85-8fbf-74f6fc89d942.vbs"
        22⤵
        
        PID:3244
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6167d36-0951-4324-aaf9-168d8ba29cbc.vbs"
        24⤵
        
        PID:4456
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02cd50e5-f708-4a37-b94f-68628e1f9536.vbs"
        26⤵
        
        PID:4088
        
        C:\Recovery\WindowsRE\unsecapp.exe
        
        C:\Recovery\WindowsRE\unsecapp.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\724faae8-6e07-4144-b61f-6786a5b926ea.vbs"
        28⤵
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a368250-c58e-4a86-848a-cd4417cf2f68.vbs"
        28⤵
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8174980e-6c36-4587-a036-e2c3786ae948.vbs"
        26⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe29249-8395-414b-96b8-68bb49544676.vbs"
        24⤵
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4eff5ee-718b-4cd2-bc4a-ef21a0f34352.vbs"
        22⤵
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f10781a6-5cdc-408c-b2ed-683184768bb2.vbs"
        20⤵
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7115d65e-aa64-49fc-96b9-69d4b544eee2.vbs"
        18⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee4f756-5bfb-49dd-8569-d363c622f896.vbs"
        16⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4664f274-eaa7-4b53-8d0f-79cbff2bc011.vbs"
        14⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ddaf4fe-65d2-423d-ac32-3bf649ac43ae.vbs"
        12⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ac0581d-c331-497e-90e2-cc54a79c65a7.vbs"
        10⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95952950-3719-4f3b-904b-d0b1c6f7ca97.vbs"
        8⤵
        
        PID:1712
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf8cb27-3f07-4253-8bb8-bb1311ff53d5.vbs"
        6⤵
        
        PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Shell.ServiceHostBuilder\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\cmmon32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Microsoft\PlayReady\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\02cd50e5-f708-4a37-b94f-68628e1f9536.vbs

Filesize
710B

MD5
1a8ac17911f8e74219e6048626ea548a

SHA1
ce806853de30aa7c0120264b219c56526e9c696d

SHA256
5ec0a8f7723bd18c51afc9b21f7578249946c896774076e39e10c3d127ca1c9e

SHA512
a25096fac80a2b2cc14ef612e7c9bbd96fe6a7053b924f1ca79d8100d3c2ba7f4237752e818b901461197a6ec321fe6d0d638ded31623a405b532a3e6c4c0a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\22c22a9e-e29f-4b26-8130-a208edf5527f.vbs

Filesize
710B

MD5
a5a44ce1405c49aa623eee70ce67ddf6

SHA1
ea3defce840c665a0630d7dea36d324f7c14c999

SHA256
bf43a64f299922083b09673e3a175b3dd143527ef524cdee5ecbd8f660c8e063

SHA512
f22ade40f25c67d3a809aaee9ad5be31f567afff9c7c10c95596e176edd57838dc3934bd24288f06fad066c3e7bc6230548c559bd12985baa5f3ae5d39e2df80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bf8cb27-3f07-4253-8bb8-bb1311ff53d5.vbs

Filesize
486B

MD5
c79b719fc0fb26a94ff7a9aa03e7326d

SHA1
f3de4230de81c5277ab684e492a061b8c30349a5

SHA256
ff52d4087b01fd776ed82f1cefd45c78e00bf832327dcd3c37ca3b3e993c1d1d

SHA512
4722f98eadac2bfc09eb8342ae50699c4bf90dd634d731ac47cb593b203c905a67d8f52bb19c4a00560c8c49343d26c50459ba387da4e4ff3262dde3ef53b610

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b6405ec-9c2a-4d85-8fbf-74f6fc89d942.vbs

Filesize
710B

MD5
71cde431c44390f6eab3a1b8ae64412a

SHA1
284925aecf24adf3334ea711eb8e8639b101a09e

SHA256
0d66bf2ebbd91010473f629884b5bc2679840981d34d7449bb5140191fffbb96

SHA512
bea3cbda96e65f6ba120c9dab8bdac45c29b45bf6a87a44e793b10db6c167140dec2730475d980ba7317b313a8539bc5d4f687f0833f183edaff07fe93804303

Download Submit
C:\Users\Admin\AppData\Local\Temp\4967445a-6cc1-49ee-8c6b-d92a40433fcc.vbs

Filesize
709B

MD5
852ac9e2d34209c9bdef2a14233a873c

SHA1
c76cb636224b1e355b75d715b054e9e335ee6ff7

SHA256
f01340f099ff996f9d150aded23ea10b53265d1bd51b3d5b861975c9788d0380

SHA512
616252c989d60318ac2d565ca9291e683369a35a128e15920a9e80b2eb6b44e47eaefdab296edc5d00639177d336e1848677c8cf79ee8247052ece4d15c27944

Download Submit
C:\Users\Admin\AppData\Local\Temp\4974fc7b-4a9b-494d-90b5-c7798c0ce0d0.vbs

Filesize
710B

MD5
b1525b0be9ca10d3bb18871f4364c298

SHA1
7dbd86fd5a320f96e07d5a69e9cd93d31122b6a3

SHA256
ce1029e384f8d02a065438bf33b0252641b5920eef0eb8386320a3f559c5925d

SHA512
a1dd66b66f928c73b139ed983afa62302fadb4019b84d19f3e37270a8ab1ec3400bb9d7794fabc0f2853ac7ec890b370347769810e3fd87d63dc5c2adf99d0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\724faae8-6e07-4144-b61f-6786a5b926ea.vbs

Filesize
709B

MD5
7a4ac2ecfcb8290dfcc2e9dbdcee663c

SHA1
48d27ddad6fdb73d96f2c8fab628540527a0bc7b

SHA256
eeb71d6d5e25a543edfd805b8a641bdbe9355b53e58825ce5ac7a96f601475e3

SHA512
6cd0ff7ab584a58b3988ecf092bfd36d32a3a1da660423266e89793a78d86afe2f34193250bf1ffad32fbe31fb434579b084885d71921d00ba5bab3f5b6d81ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\90969d3e-14f9-4d03-a5e5-2a5b425059bf.vbs

Filesize
710B

MD5
ae0c70d45b7f4e0d1aa126964a3ca61c

SHA1
ed934ad505a39e4827d91b690a70f88a806525d6

SHA256
2d6a5f7c783963ad7e378b3fa3cca8a27bfd67b87f1004eb0ade4d23bcd25572

SHA512
073c06540e164d35cf5031d291139339921f083930b340b205613ffc8753e0791908d1f42f9b97b0f39888493db6f937f3d17f3f63cb3e17641fa6468fcd8fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iin5feko.vdv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6167d36-0951-4324-aaf9-168d8ba29cbc.vbs

Filesize
710B

MD5
f84d9c85cf1575062ef5509e5d61fa63

SHA1
d7d7b7b10e72539c4cfe215fa6edef09a358aad9

SHA256
82270f2f2f2381414e6074f3d52d04b5d3384d5e5f5c4a15372eac1196ce6e51

SHA512
81be15797e6e9ad2c1cdbc6963d14aad2dfd2f6aa01ba2fe8d3abd6cfe6f0e29112a70883b8f8f81c7f9c26112eecc450525994d6dfb701a77e7ebb5f70c8154

Download Submit
C:\Users\Admin\AppData\Local\Temp\bVbe0B3IxC.bat

Filesize
198B

MD5
17c322fea532d50096d38794bdccd89a

SHA1
e0e486f87ed6ccfefaeac2ed12dffaf2b9984b71

SHA256
665df03eec2b184d119219ee6005cc4d483470b46f483a9af55facc700918c83

SHA512
0e595f48622257220c55492d35723c2e508cb88481e27146b683fe82f22d4ef07396a8f43746cb8217d5db35b6b17c332270c3e28b7b4ed279c4b4d2bf4f89ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd5832dd-79a3-4d83-ba0c-5584e934f9af.vbs

Filesize
710B

MD5
078f7ff8b3712874c08c172839668ad8

SHA1
e15441874bbf912f48d6fedad1ee9968aa112699

SHA256
99a007c954e2442519dc8bdd04c96cb8c9dde6d18fa7ac11cebfa6d342585d47

SHA512
ca8fffb75333c6dd46cda1be8a7187a175e0c90a2911707aaa411c768c7c7d64c4c26ac76104b57810c213149ba3386bd7de908135513b84cb79a285ef9f0460

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfea3785-c05c-47cc-86b2-225d215bc65e.vbs

Filesize
709B

MD5
d989e9b51a3e7e1b780e51cfbc7fabd9

SHA1
d58f61d5146736d115b005c9b36a7243e0950e5c

SHA256
fde319171a37884d3363fcf1441ef5e86b61a471ab4af538c3ecb01149a8738d

SHA512
7dda9475809d13f4907ade6aef4a70b880a567a956fbfd8e4285a809c607c2deb576d588ea40cd6c7cd127351f3afadc7c4e4d59d6143b233983871f072f1f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\e77781fa-e49a-4c81-93d6-77ca3e757448.vbs

Filesize
710B

MD5
afb45edbfd01f690c4eb1d80b1888ff6

SHA1
e7fcf224cc7d94dfa5e2c0f92ef930bbbd1b16c6

SHA256
aa8050d96a8ad6c7c82492561220b6f797076db62eda1836caa5a00b96b8d9df

SHA512
413cb3e34dbf566d47f8c48fa99e2fe4069f5b66a2af02b1331f002794b56f2fb54fcd58bf38a1ef7a390634b9102ca9fe3bb652339edb94c462ca5d7b613741

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
588B

MD5
fcbf2c2dfbe44cf49ac137e926264f84

SHA1
1a61a65363273500fec7e675db19f6554d6761d9

SHA256
3230fe056c16891275945587f98cde1f4481ef106d4aab9cb62dfa7a152ec486

SHA512
47472e8192ec6c242d1c9f7c33882f2d1dd369827c363e2d73ab9184bcd410b83948bef1ee01fafec603f5ff865f3d4cc9bdf41417142b2a5f29773813a0c39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\feb48490-eb13-4c53-9202-cddb9be16be8.vbs

Filesize
710B

MD5
1a10b8ef2e89f03e0298e97118583ed1

SHA1
2b4eba8b0514aec0f505fd56d50726dcae27a670

SHA256
f52ed9f689832cc0c6a388c6fa94a05212fb4c7f970eb475abd6cc55413c0eef

SHA512
9717ff72bde4d7e00c09a8af36a3c64542673d15376798ecc7f665483c91a6400b28be279342b6f11c553ea5dfe1b38e9b076c4ac605b16508859dd1ad124b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMVBcLz2S0.bat

Filesize
266B

MD5
39cdcaf62ee129b8d68d605084ac4d1d

SHA1
02986791ee33081d85f802e07acd057dc43c3688

SHA256
dd10110f181297802081eb0182f90cb7de16b11f4489dd1a7bc40493d9752f16

SHA512
dd4caedfc764ffdf009c58fe99b91477d082101173e1d8f3be21322f32a74591c2d8f262e3825ed682ddb44aecde8fe58c215ce426f17114f3e9bcb7651444f4

Download Submit
C:\Windows\System32\wbem\portabledevicetypes\unsecapp.exe

Filesize
1.5MB

MD5
8b94c19be340bab63211bf41f8cff84a

SHA1
3b11722edb38d3303fd7f55007750c8567b2bf85

SHA256
ebd61f9af6a8dd21530241af42217fcdb20a33ce635529fbce43f342a2587ed8

SHA512
2df90061b7ccfc658736807ed7b89b568ad790ca83748fbe07e659d31916c480f8892fab3a72d42674877e1dec8de6583f3b9e5643785b582bceb2b348f82959

Download Submit
memory/1148-13-0x000000001B500000-0x000000001B50A000-memory.dmp

Filesize
40KB

Download
memory/1148-0-0x00007FFC50C43000-0x00007FFC50C45000-memory.dmp

Filesize
8KB

Download
memory/1148-12-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/1148-25-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/1148-24-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/1148-21-0x000000001BF00000-0x000000001BF08000-memory.dmp

Filesize
32KB

Download
memory/1148-20-0x000000001BB80000-0x000000001BB8C000-memory.dmp

Filesize
48KB

Download
memory/1148-18-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/1148-16-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/1148-17-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/1148-15-0x000000001BB40000-0x000000001BB4A000-memory.dmp

Filesize
40KB

Download
memory/1148-2-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/1148-14-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/1148-4-0x000000001B470000-0x000000001B482000-memory.dmp

Filesize
72KB

Download
memory/1148-1-0x00000000006F0000-0x000000000086E000-memory.dmp

Filesize
1.5MB

Download
memory/1148-95-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/1148-11-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/1148-10-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/1148-3-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download
memory/1148-8-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

Filesize
32KB

Download
memory/1148-9-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/1148-7-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

Filesize
48KB

Download
memory/1148-5-0x000000001B490000-0x000000001B49C000-memory.dmp

Filesize
48KB

Download
memory/1148-6-0x000000001B480000-0x000000001B48A000-memory.dmp

Filesize
40KB

Download
memory/1720-81-0x000001CF78890000-0x000001CF788B2000-memory.dmp

Filesize
136KB

Download
memory/2412-268-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/2860-255-0x000000001B570000-0x000000001B582000-memory.dmp

Filesize
72KB

Download
memory/2900-291-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/4036-325-0x0000000003140000-0x0000000003152000-memory.dmp

Filesize
72KB

Download
memory/4252-348-0x00000000019E0000-0x00000000019F2000-memory.dmp

Filesize
72KB

Download