dcrat | ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

Resubmissions

13/01/2025, 06:01

250113-gqyq5syqex 10

12/01/2025, 22:40

250112-2ll7rsvqek 10

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Size

1.5MB
MD5

207f37be38ccbb0fe77bda8d4ab69187
SHA1

97a4aa79a700e336ca8450bfbf38d7e18215173b
SHA256

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff
SHA512

34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRK:kzhWhCXQFN+0IEuQgyiVKS

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 11 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4612	schtasks.exe
File created	C:\Windows\System32\doskey\cc11b995f2a76d		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
		724	schtasks.exe
		2776	schtasks.exe
		888	schtasks.exe
		4968	schtasks.exe
		1984	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
		3452	schtasks.exe
		4388	schtasks.exe
		2248	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\PerfLogs\\explorer.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\PerfLogs\\explorer.exe\", \"C:\\PerfLogs\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\8.0.2\\ru\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\doskey\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\PerfLogs\\explorer.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	232	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	232	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3768	powershell.exe
1060	powershell.exe
1456	powershell.exe
3024	powershell.exe
1400	powershell.exe
2308	powershell.exe
4524	powershell.exe
3124	powershell.exe
3008	powershell.exe
4912	powershell.exe
1900	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 10 IoCs

pid	Process
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
4876	spoolsv.exe
1540	spoolsv.exe
2044	spoolsv.exe
1240	spoolsv.exe
1956	spoolsv.exe
3384	spoolsv.exe
1568	spoolsv.exe
4524	spoolsv.exe
1448	spoolsv.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PerfLogs\\StartMenuExperienceHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\doskey\\winlogon.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Documents and Settings\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\explorer.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\8.0.2\\ru\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\8.0.2\\ru\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\wbemcore\\unsecapp.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\explorer.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\doskey\\winlogon.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\doskey\winlogon.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\doskey\winlogon.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\doskey\cc11b995f2a76d	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wbem\wbemcore\unsecapp.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wbem\wbemcore\29c1c3cc0f7685	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\doskey\RCXBE01.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\wbem\wbemcore\RCXC249.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\wbem\wbemcore\unsecapp.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\sppsvc.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\e1ef82546f0b02	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXC035.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4612	schtasks.exe
3452	schtasks.exe
2248	schtasks.exe
2776	schtasks.exe
4968	schtasks.exe
4388	schtasks.exe
1984	schtasks.exe
724	schtasks.exe
888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2308	powershell.exe
2308	powershell.exe
3768	powershell.exe
1900	powershell.exe
1060	powershell.exe
1456	powershell.exe
1900	powershell.exe
1456	powershell.exe
1060	powershell.exe
3768	powershell.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
3124	powershell.exe
3124	powershell.exe
3008	powershell.exe
3008	powershell.exe
1400	powershell.exe
1400	powershell.exe
4524	powershell.exe
4524	powershell.exe
4912	powershell.exe
4912	powershell.exe
3024	powershell.exe
3024	powershell.exe
3008	powershell.exe
3124	powershell.exe
1400	powershell.exe
3024	powershell.exe
4524	powershell.exe
4912	powershell.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	4876	spoolsv.exe
Token: SeDebugPrivilege	1540	spoolsv.exe
Token: SeDebugPrivilege	2044	spoolsv.exe
Token: SeDebugPrivilege	1240	spoolsv.exe
Token: SeDebugPrivilege	1956	spoolsv.exe
Token: SeDebugPrivilege	3384	spoolsv.exe
Token: SeDebugPrivilege	1568	spoolsv.exe
Token: SeDebugPrivilege	4524	spoolsv.exe
Token: SeDebugPrivilege	1448	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2308	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	88
PID 3440 wrote to memory of 2308	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	88
PID 3440 wrote to memory of 1900	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	89
PID 3440 wrote to memory of 1900	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	89
PID 3440 wrote to memory of 3768	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	90
PID 3440 wrote to memory of 3768	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	90
PID 3440 wrote to memory of 1060	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	91
PID 3440 wrote to memory of 1060	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	91
PID 3440 wrote to memory of 1456	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	92
PID 3440 wrote to memory of 1456	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	92
PID 3440 wrote to memory of 1472	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	98
PID 3440 wrote to memory of 1472	3440	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	98
PID 1472 wrote to memory of 3840	1472	cmd.exe	100
PID 1472 wrote to memory of 3840	1472	cmd.exe	100
PID 1472 wrote to memory of 3004	1472	cmd.exe	109
PID 1472 wrote to memory of 3004	1472	cmd.exe	109
PID 3004 wrote to memory of 3024	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	119
PID 3004 wrote to memory of 3024	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	119
PID 3004 wrote to memory of 4524	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	120
PID 3004 wrote to memory of 4524	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	120
PID 3004 wrote to memory of 3124	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	121
PID 3004 wrote to memory of 3124	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	121
PID 3004 wrote to memory of 3008	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	122
PID 3004 wrote to memory of 3008	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	122
PID 3004 wrote to memory of 4912	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	123
PID 3004 wrote to memory of 4912	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	123
PID 3004 wrote to memory of 1400	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	124
PID 3004 wrote to memory of 1400	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	124
PID 3004 wrote to memory of 4916	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	131
PID 3004 wrote to memory of 4916	3004	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	131
PID 4916 wrote to memory of 756	4916	cmd.exe	133
PID 4916 wrote to memory of 756	4916	cmd.exe	133
PID 4916 wrote to memory of 4876	4916	cmd.exe	135
PID 4916 wrote to memory of 4876	4916	cmd.exe	135
PID 4876 wrote to memory of 2776	4876	spoolsv.exe	136
PID 4876 wrote to memory of 2776	4876	spoolsv.exe	136
PID 4876 wrote to memory of 4784	4876	spoolsv.exe	137
PID 4876 wrote to memory of 4784	4876	spoolsv.exe	137
PID 2776 wrote to memory of 1540	2776	WScript.exe	140
PID 2776 wrote to memory of 1540	2776	WScript.exe	140
PID 1540 wrote to memory of 700	1540	spoolsv.exe	141
PID 1540 wrote to memory of 700	1540	spoolsv.exe	141
PID 1540 wrote to memory of 1948	1540	spoolsv.exe	142
PID 1540 wrote to memory of 1948	1540	spoolsv.exe	142
PID 700 wrote to memory of 2044	700	WScript.exe	144
PID 700 wrote to memory of 2044	700	WScript.exe	144
PID 2044 wrote to memory of 1564	2044	spoolsv.exe	145
PID 2044 wrote to memory of 1564	2044	spoolsv.exe	145
PID 2044 wrote to memory of 3036	2044	spoolsv.exe	146
PID 2044 wrote to memory of 3036	2044	spoolsv.exe	146
PID 1564 wrote to memory of 1240	1564	WScript.exe	147
PID 1564 wrote to memory of 1240	1564	WScript.exe	147
PID 1240 wrote to memory of 1952	1240	spoolsv.exe	148
PID 1240 wrote to memory of 1952	1240	spoolsv.exe	148
PID 1240 wrote to memory of 3456	1240	spoolsv.exe	149
PID 1240 wrote to memory of 3456	1240	spoolsv.exe	149
PID 1952 wrote to memory of 1956	1952	WScript.exe	150
PID 1952 wrote to memory of 1956	1952	WScript.exe	150
PID 1956 wrote to memory of 1520	1956	spoolsv.exe	151
PID 1956 wrote to memory of 1520	1956	spoolsv.exe	151
PID 1956 wrote to memory of 2784	1956	spoolsv.exe	152
PID 1956 wrote to memory of 2784	1956	spoolsv.exe	152
PID 1520 wrote to memory of 3384	1520	WScript.exe	153
PID 1520 wrote to memory of 3384	1520	WScript.exe	153

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
"C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\doskey\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wbemcore\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2FhzVdMLXV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3840
- - C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
    "C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\StartMenuExperienceHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\SppExtComObj.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KUAHj3z91P.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:756
    - - C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4876
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86942bca-25c5-4a54-a075-a1dfa7e322ad.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\382f01b9-bf0b-445d-ac02-0f3af81ab9e9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\909e93c5-9648-4218-bb0f-0a51b98bbfe1.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1d88e1-f75e-4ac4-9256-36b41cc071de.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93a7440-3864-4ddf-afb8-88a02289aac8.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a198ec2c-6aa2-4928-ac2b-6b075f8954de.vbs"
        16⤵
        
        PID:4968
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b789177c-4dfa-4507-be55-0e1e457ba525.vbs"
        18⤵
        
        PID:3228
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ad0ae0-f9fc-42a3-9f26-839b58cd8c16.vbs"
        20⤵
        
        PID:4308
        
        C:\Documents and Settings\spoolsv.exe
        
        "C:\Documents and Settings\spoolsv.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0669cd79-c619-495a-a730-a53622c015a1.vbs"
        22⤵
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\904981e5-c3f1-42d4-9e25-2e6a8d1f9e87.vbs"
        22⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05d68c30-a149-454a-8657-a9e33744209c.vbs"
        20⤵
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b40c38-ddb0-4882-ac24-e633c162698d.vbs"
        18⤵
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88aed4da-0563-4929-8dff-12cff068e091.vbs"
        16⤵
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af4a4090-3029-4be3-877d-20656ed849d0.vbs"
        14⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c7c8bb7-fc76-4098-b1a7-edd8231e1e02.vbs"
        12⤵
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17f2c22-47ba-4cbd-9459-5bb391611540.vbs"
        10⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc48e21-4567-4d14-b68e-a6090e476315.vbs"
        8⤵
        
        PID:1948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdb2d069-bc7c-465e-8d5a-3b5428cb4c8e.vbs"
        6⤵
        
        PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\doskey\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wbemcore\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\9e8d7a4ca61bd9

Filesize
112B

MD5
8c8d32cfe8ac7fc33204ceb64cee8aa4

SHA1
472222ccd8e9f068379b78a80148026ab7d97b6e

SHA256
25a2ce30aa68dde417e8e142945034ce147095ce9c871d1c02617ca32d3877ce

SHA512
46284a4f57403376f120971808d1bb7382ea42ab7031d69a0e4d09db248ae3c91a066d98830f81b38e4c9cb4fd0d398de798934465979a5db75f047721c39260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
238B

MD5
1d54bc7bb57755a84931e6fbc97ef30e

SHA1
abc1f2b95d73a3d009685699391c3a33fb8994ee

SHA256
ae8b8b5e589a4aa97a5a2fad1afa3ac4c660fa389d550d192fdf89d153a06996

SHA512
016bff0d73d816a8f1cef2faec4c70a5c4a1b0e9d42a07a48a90507162617d90f5420a8781d117f31fff21ba38853ffe4e1ec73ceb87d765cc38234b072eebaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f41b750bea880bee9fa4b247c5fd2a89

SHA1
10a120a0ad703c75fba2924673dab91b17861071

SHA256
0302012df134125fbe04166c62a9ea65649985efc8a3067d1de0be487840a57d

SHA512
f377d6f38a1c0fa0cf311fb929a2b1d86984cf175935251a21043beb246fdae03a688a0f7eda95eb5b0aedf206f41aee03eb4812b2ee2f66a451472759f87a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\0669cd79-c619-495a-a730-a53622c015a1.vbs

Filesize
713B

MD5
1cc476be2e8811af282a8321012593e9

SHA1
22b84cda98c33495da96fb08761d12341f4f5213

SHA256
dfe8c81a232fb3247bee4a23e1d66dcc229561bd8bcb508fb6ab0182fddbd95b

SHA512
de349042d41ac9be8a34862814a13ef2f64a08a986e24ea2a1e5aa9dadc6ac87e728b63dd869927f5e703741d051b77b3ef9dab765a2c4b6ecf603edbe3ef851

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FhzVdMLXV.bat

Filesize
266B

MD5
c8b11c4a7488decdca740e96884cf94b

SHA1
e5b91614aa259213bd51ae69a4bbbc6ab1d20ab9

SHA256
dd69db47ad7c62417a551103dc7d1a7801044e9b37a594ea7b7ea12f9b768ed1

SHA512
4026f9e5726f586a3fbeac6267dbcaa7f322d6bd7d8903fcf9b7bbec2ad0003d4736e7a0e0f5bcfd7a1a9ee70a0fabb42120ce127bf928fa18f3edae0f39a22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\382f01b9-bf0b-445d-ac02-0f3af81ab9e9.vbs

Filesize
713B

MD5
305f21dfda637038ed09015e77f068b0

SHA1
14cc660eef2a9d4717755e9d8c1c4f89565c6388

SHA256
28210d8e65e6e7d29e81f2132ad3bb967547c97b39e04e7c9baf0e8807615c84

SHA512
8269a39167c4f86c9c75b0f379153825c7f04250fb9bbbe3182d1163d2aa310f760af33d6788448502156f1571712a8a142f16c2564ba50b8f7d9db4fde3f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c1d88e1-f75e-4ac4-9256-36b41cc071de.vbs

Filesize
713B

MD5
2a014a629208d1c598db18c6392aa416

SHA1
4cfd4f5253516d3af135ca155b7ad44939005450

SHA256
f8e0e04a22b50b465fdaf2d47fcf3230b833735cf95d9d7fe80caf1263b44dbb

SHA512
8d727fa6a1cebbcde2229cd11fb5df9acf7bd24271e36a37ce8ed6bfe3174f7b70c5069bc61601d16968b2bfa8fed0a9eb7c9f3f8b86e00455c565de5d5c0335

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ad0ae0-f9fc-42a3-9f26-839b58cd8c16.vbs

Filesize
713B

MD5
c81eb74760e03882a479ac5fab4cdb25

SHA1
11d71b423af656b8cd39cc7969b08e987658926a

SHA256
99df0c883fefdfd18aab68cf4e5eb0f6a894e34465111232c531754c02f0c3ac

SHA512
9e38878b79bd4ec6bc75070be53661c5a5223344c908ad9594f7f9a3b8f6af11618ab8ad95ea5cdd77f2b9102c3b3949f82bfbd4eeab4445603e7efafb6c9792

Download Submit
C:\Users\Admin\AppData\Local\Temp\86942bca-25c5-4a54-a075-a1dfa7e322ad.vbs

Filesize
713B

MD5
6fb436d6600f2e142e4ef70849252047

SHA1
eb2024d3e50c90ec9f61f80c20aab4b811b35948

SHA256
2bc398cf5eba79194dea398e7dca26c5198b36bde51651e2d5cd579ad97eb47b

SHA512
a6e5097ef6fa48a441890bb2f2c14123831a1d86d7369c98901218f6885213129c386221a5f8b433c5848d8eca3c4bc8a5b8f6171eacc648dd64b42fbfac39d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\909e93c5-9648-4218-bb0f-0a51b98bbfe1.vbs

Filesize
713B

MD5
a4bdd1bb1e7e3d75fa36470c1df3cf5f

SHA1
9888306bedd9ac51102bfa465b69642cfaf0de0b

SHA256
81c37c4acbc7469de6997b822c8f3fbb5d49e1f3ec0ac0b0f644f28e4136212d

SHA512
895b44169c15cfd6cd96ee189add1c6bd3dd17b687375204faabfb3c1c2d45756efe515a552c6dc22a93b2b39d5c61e6a62124f44db3ab7895630dc2232c9c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAHj3z91P.bat

Filesize
201B

MD5
f272219abcdb315d97025bd03d017056

SHA1
34e17f2056539a17a9609eee0546d8233b508ab2

SHA256
7aa82bea3bbb66d0dde38e86b81e21826088fe3429ea4e4c2c2fec3d395d6c28

SHA512
2d7087f33d118dda75fdbae37093541cab143ed99374f35ebba15472769afa79bc8fc2bc84531ba1928fc124533cf4a447be6637dcfc2a71705b304edc3fc6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wqp455n.frt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a198ec2c-6aa2-4928-ac2b-6b075f8954de.vbs

Filesize
713B

MD5
044f8dbc2d86e316763c3bb368a0b06b

SHA1
b3661692a16bfcb9696f8ef6cee8bb92e59d1e89

SHA256
b83b106ac15e7befcb3986a9207d960b03a6660ed672938ff64f8ed838093cfa

SHA512
6a385f0889dfaa005c99a8c0e73ef3ed6f4eda73ae3907d3b9f626db6e6200c06997ac3b3f0d2ccd48ede8e7c4da0e4870761fdea1a9afafac1739b0f1aafcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b789177c-4dfa-4507-be55-0e1e457ba525.vbs

Filesize
713B

MD5
c06ec6e8f9b025be379339f5bdb87108

SHA1
81b844c1c664ec4adb6e1630a0bf753dc1f8ba68

SHA256
f9abe38746b019b993928c9f75a30cf226e4e6e9ac16c5c530895e869d4b57c5

SHA512
118a4a00f0a863b22396f28ebd9306009057887b9ea733f2e9b7dfe21431bcd486927f216d790aa9b5d79cc1d4c7d4e7119c611529da99d3e187d4319b627d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d93a7440-3864-4ddf-afb8-88a02289aac8.vbs

Filesize
713B

MD5
898bccd7d84f39a3c30873c5286fbd0a

SHA1
e93a9125ee70750260e710b75d9476b5eb4e5482

SHA256
17361fe0a052e9834a5379d014a5882221600ae53984b1e5a73a9059ff151850

SHA512
4295b74d8c8b000b334221f45f1df95865821a0d7cd89ba3cd40aeb9633f1fbd072f631aabcc61a4088a47840a7cfc07542a6b05048a096ca3ceaf6034747a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
492B

MD5
d3f975645542491f829c4bd564bf4ad4

SHA1
54b717c2c75717159c3493d3d90163b24bcdb0bb

SHA256
07cf051d9ad7d76a4b71cb4dc9b651586b4e1c9b9c58d6d819d29e1695092e1f

SHA512
7e5d18c2450355932f488dc0b8e15a5734d48e0199201cbb339b9fd590df76e4313aeec7b6747cea3f527cd7ee925be70774aaaf35d1dd3e9509f82a534595a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdb2d069-bc7c-465e-8d5a-3b5428cb4c8e.vbs

Filesize
489B

MD5
50870a0feca43b0ccc10b4a8e3973ab7

SHA1
18d566b189d17c7c5740e721dd9e3023efd2855c

SHA256
71502649026cc3efe83aade24c73d669604456777b86c19b932e2c6ca68d8393

SHA512
e4d2fc62a5f77afadaf28d64fca9cb896f17785660d071b1ee03964259908f677329cfb22e3349e5f775e1d1fa7c20037455ae5fbebfe5f30d738591b8bf10c5

Download Submit
C:\Windows\System32\doskey\winlogon.exe

Filesize
1.5MB

MD5
207f37be38ccbb0fe77bda8d4ab69187

SHA1
97a4aa79a700e336ca8450bfbf38d7e18215173b

SHA256
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

SHA512
34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e

Download Submit
memory/1240-266-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/1540-242-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download
memory/2044-254-0x000000001B5E0000-0x000000001B5F2000-memory.dmp

Filesize
72KB

Download
memory/2308-78-0x00000155C3420000-0x00000155C3442000-memory.dmp

Filesize
136KB

Download
memory/3440-42-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-21-0x000000001C7E0000-0x000000001C7E8000-memory.dmp

Filesize
32KB

Download
memory/3440-12-0x000000001C3F0000-0x000000001C3F8000-memory.dmp

Filesize
32KB

Download
memory/3440-11-0x000000001C3E0000-0x000000001C3F0000-memory.dmp

Filesize
64KB

Download
memory/3440-10-0x000000001C3D0000-0x000000001C3E0000-memory.dmp

Filesize
64KB

Download
memory/3440-80-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-14-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/3440-9-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

Filesize
48KB

Download
memory/3440-8-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

Filesize
32KB

Download
memory/3440-7-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

Filesize
48KB

Download
memory/3440-6-0x000000001C390000-0x000000001C39A000-memory.dmp

Filesize
40KB

Download
memory/3440-5-0x000000001C380000-0x000000001C38C000-memory.dmp

Filesize
48KB

Download
memory/3440-13-0x000000001C400000-0x000000001C40A000-memory.dmp

Filesize
40KB

Download
memory/3440-1-0x0000000000FD0000-0x000000000114E000-memory.dmp

Filesize
1.5MB

Download
memory/3440-2-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-25-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-4-0x000000001C270000-0x000000001C282000-memory.dmp

Filesize
72KB

Download
memory/3440-16-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/3440-24-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-0-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

Filesize
8KB

Download
memory/3440-3-0x000000001BC50000-0x000000001BC58000-memory.dmp

Filesize
32KB

Download
memory/3440-20-0x000000001C460000-0x000000001C46C000-memory.dmp

Filesize
48KB

Download
memory/3440-18-0x000000001C450000-0x000000001C458000-memory.dmp

Filesize
32KB

Download
memory/3440-17-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/3440-15-0x000000001C420000-0x000000001C42A000-memory.dmp

Filesize
40KB

Download
memory/4524-311-0x0000000001470000-0x0000000001482000-memory.dmp

Filesize
72KB

Download
memory/4876-229-0x0000000002B00000-0x0000000002B12000-memory.dmp

Filesize
72KB

Download