dcrat | 8892a4ce442b8651e770db53457bcf68eba1d8847fe638af004683845e103c3d

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Size

2.2MB
MD5

812ac1ea0b1d66a93d0beca70cc28cbe
SHA1

c5cff3dc9a2503521de74a7d4cda2f678f5bb575
SHA256

74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
SHA512

01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6
SSDEEP

49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 37 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3760	schtasks.exe
		1256	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
		372	schtasks.exe
		4320	schtasks.exe
		1644	schtasks.exe
		4428	schtasks.exe
		964	schtasks.exe
		5012	schtasks.exe
		528	schtasks.exe
		3088	schtasks.exe
		848	schtasks.exe
		4936	schtasks.exe
		1060	schtasks.exe
		4708	schtasks.exe
		1340	schtasks.exe
		424	schtasks.exe
		1376	schtasks.exe
		4576	schtasks.exe
		1272	schtasks.exe
		2928	schtasks.exe
		1908	schtasks.exe
		3236	schtasks.exe
		2816	schtasks.exe
		2076	schtasks.exe
		396	schtasks.exe
		1244	schtasks.exe
		1664	schtasks.exe
		2460	schtasks.exe
		552	schtasks.exe
		1792	schtasks.exe
		4580	schtasks.exe
		4824	schtasks.exe
		1384	schtasks.exe
		3832	schtasks.exe
		2836	schtasks.exe
		5028	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\", \"C:\\Windows\\Containers\\serviced\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\", \"C:\\Windows\\Web\\Wallpaper\\lsass.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\TextInputHost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\", \"C:\\Windows\\Containers\\serviced\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\", \"C:\\Windows\\Containers\\serviced\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\", \"C:\\Windows\\Containers\\serviced\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\", \"C:\\Windows\\Web\\Wallpaper\\lsass.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\services.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\", \"C:\\Windows\\Containers\\serviced\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\", \"C:\\Windows\\Web\\Wallpaper\\lsass.exe\", \"C:\\Users\\Admin\\My Documents\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4236	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4236	schtasks.exe	82

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/748-1-0x0000000000DB0000-0x0000000000FDE000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca7-41.dat	dcrat
behavioral2/files/0x0008000000023c9e-93.dat	dcrat
behavioral2/files/0x0009000000023ca0-102.dat	dcrat
behavioral2/files/0x000a000000023ca4-127.dat	dcrat
behavioral2/files/0x000b000000023cac-163.dat	dcrat
behavioral2/files/0x000300000001e764-174.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 3 IoCs

pid	Process
3212	csrss.exe
2968	csrss.exe
2216	csrss.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\DigitalLocker\\en-US\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\TextInputHost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\DigitalLocker\\en-US\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3 = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Containers\\serviced\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\fontdrvhost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhostw.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\csrss.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Media Player\\fr-FR\\RuntimeBroker.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Web\\Wallpaper\\lsass.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\Idle.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3 = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Containers\\serviced\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Web\\Wallpaper\\lsass.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\My Documents\\upfc.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\TextInputHost.exe\""	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXBC2A.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC0C3.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\RCXAFCC.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\RCXAFCD.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXB55F.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\Idle.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC055.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Windows Portable Devices\22eafd247d37c3	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\6ccacd8608530f	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB763.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXB9F7.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\Idle.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ea9f0e6c9e2dcd	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Windows Media Player\fr-FR\9e8d7a4ca61bd9	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXB979.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC7DC.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC7DD.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\8da2e5f9ab7abb	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXB4E1.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB764.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXBC2B.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\6203df4a6bafc7	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCXC2C8.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCXC346.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Containers\serviced\RCXBE3F.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Containers\serviced\RCXBE40.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Windows\Containers\serviced\ea1d8f6d871115	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB2DC.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\services.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Windows\DigitalLocker\en-US\services.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Web\Wallpaper\lsass.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB25E.tmp	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File opened for modification	C:\Windows\Containers\serviced\upfc.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Windows\DigitalLocker\en-US\c5b4cb5e9653cc	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Windows\Containers\serviced\upfc.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
File created	C:\Windows\Web\Wallpaper\lsass.exe	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
1272	schtasks.exe
4576	schtasks.exe
2836	schtasks.exe
1340	schtasks.exe
848	schtasks.exe
1256	schtasks.exe
1244	schtasks.exe
1908	schtasks.exe
2816	schtasks.exe
3760	schtasks.exe
1644	schtasks.exe
1792	schtasks.exe
1664	schtasks.exe
1384	schtasks.exe
4936	schtasks.exe
1376	schtasks.exe
424	schtasks.exe
3088	schtasks.exe
964	schtasks.exe
4580	schtasks.exe
4428	schtasks.exe
1060	schtasks.exe
5028	schtasks.exe
528	schtasks.exe
372	schtasks.exe
396	schtasks.exe
4320	schtasks.exe
2460	schtasks.exe
2076	schtasks.exe
552	schtasks.exe
3832	schtasks.exe
4824	schtasks.exe
4708	schtasks.exe
5012	schtasks.exe
3236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe
3212	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Token: SeDebugPrivilege	3212	csrss.exe
Token: SeDebugPrivilege	2968	csrss.exe
Token: SeDebugPrivilege	2216	csrss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3212	748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe	121
PID 748 wrote to memory of 3212	748	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe	121
PID 3212 wrote to memory of 4708	3212	csrss.exe	123
PID 3212 wrote to memory of 4708	3212	csrss.exe	123
PID 3212 wrote to memory of 2020	3212	csrss.exe	124
PID 3212 wrote to memory of 2020	3212	csrss.exe	124
PID 4708 wrote to memory of 2968	4708	WScript.exe	130
PID 4708 wrote to memory of 2968	4708	WScript.exe	130
PID 2968 wrote to memory of 2940	2968	csrss.exe	131
PID 2968 wrote to memory of 2940	2968	csrss.exe	131
PID 2968 wrote to memory of 4204	2968	csrss.exe	132
PID 2968 wrote to memory of 4204	2968	csrss.exe	132
PID 2940 wrote to memory of 2216	2940	WScript.exe	133
PID 2940 wrote to memory of 2216	2940	WScript.exe	133
PID 2216 wrote to memory of 1664	2216	csrss.exe	134
PID 2216 wrote to memory of 1664	2216	csrss.exe	134
PID 2216 wrote to memory of 528	2216	csrss.exe	135
PID 2216 wrote to memory of 528	2216	csrss.exe	135

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe
"C:\Users\Admin\AppData\Local\Temp\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:748
- C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
  "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3212
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f1ea381-dde4-457a-b7b0-b30c7a7b2e04.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c4c3d48-cf4d-4f1e-9427-6589b7ffb735.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52854819-6f45-4403-86da-e3ee0200ceea.vbs"
        7⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\155ba8f0-2799-47ab-90a1-b9c1674c2e83.vbs"
        7⤵
        
        PID:528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37bdac00-83a7-4511-9688-9e315fdf706a.vbs"
        5⤵
        
        PID:4204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e64ad7e-b459-4b46-b779-4556741a6e2d.vbs"
    3⤵
    PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e37" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e37" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\Containers\serviced\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\serviced\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe

Filesize
2.2MB

MD5
75e49a4b7222949dd56b1271f79a6c74

SHA1
0d46391a9c61a4abebe6a3d536d0f776de390250

SHA256
38ebd92779e9745511b09c66c2211cfd267d7361cebd732085d964be417cf66f

SHA512
5d4f495d43265aa757e83c35ce983700cfae53f8b79f606fa2227d3568cf095fb4ae75eea05ab6d35fd3ecedd1e037cfa3639b47380f2c9e01ed0aec4b685fb4

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
2.2MB

MD5
812ac1ea0b1d66a93d0beca70cc28cbe

SHA1
c5cff3dc9a2503521de74a7d4cda2f678f5bb575

SHA256
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3

SHA512
01acc3b99130f0d263917e4e362caf25841b21e3a9a82ce40004db96239ebcc8762a57ebad020ed704213596a100d060475cd9fd61c5bd4df9a35ff14d4cc6f6

Download Submit
C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe

Filesize
2.2MB

MD5
f790c576fc64d4448520a4d6472323bc

SHA1
e6cf2f6b5c549edfa85f42fb79cc29d0c2eb6aea

SHA256
50f41a673dcfc659ac0fbe3b58b95f80baf52e26bfc57e654aca174d15dbb9a6

SHA512
ef7d85e6cae82b2d947cd2559fa9759fa208bc485a2eafeb3663845dc7d008f3000fd5d86bd6a6ef0e2baa9063d021db12688016706feb236451d5a93f10d3f3

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\taskhostw.exe

Filesize
2.2MB

MD5
7d9da66edebdce460dccf7e529f01f90

SHA1
17baf2464b9633ffa52f3418cdfd697cdf0102ea

SHA256
b58905d41b1b771c5987b4210561f5507bf286a064c7818f7a94a5df85648443

SHA512
a2f8e9f9a2d4aa2c9e426c6fc928adec760111e63c76b47d380319082f1f51708d6efe05d3aa8dfc973e0a4cee9a4706b339f1da5a15baf1815d00e5dbc637c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c4c3d48-cf4d-4f1e-9427-6589b7ffb735.vbs

Filesize
736B

MD5
13265578a6044dd7a327c2f1fdde44eb

SHA1
28d0b8f5a1742d1792461584a87013256ef3f3ec

SHA256
1001ef17affb77c5a779bad78b683f6e74f25244ede47ba6eee93a3e87da593e

SHA512
c11fa4ca8abad2cec9fafeda1db356d73746532a9054ab045faea537524f0b83e00512161e5b720fd0bb0e23109ba10432468864306fbc5bfc85983fbb8c2442

Download Submit
C:\Users\Admin\AppData\Local\Temp\52854819-6f45-4403-86da-e3ee0200ceea.vbs

Filesize
736B

MD5
08ffbb55c8a74ee8b63fa50321b56f7b

SHA1
e3473fee6ce8c1d72f261fa9b3c14e85ef150b80

SHA256
c6a1bdd7867db4e9ad50f0be1555f2c1b24051053aff28e25a2dfaac3bebd1d4

SHA512
40cada193a8b8c125c3eb3ddbb23705db171a64b08a9c52826be25176a3189319a1a4ad1a32c787ea1619e2b4c86db11c36588c3c73ba8fb0ef8d99d90948e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e64ad7e-b459-4b46-b779-4556741a6e2d.vbs

Filesize
512B

MD5
306797ef4bd577fd48c639afa45371f3

SHA1
9a1c8cf866f5fb83257c6f16420cfebee8d05045

SHA256
7a3d620dcb42101f24f236017bd18acc220c968ae6a7e57a40ca6ffbfcd36f39

SHA512
96b5e6291a9964869a8a71acb40a97fd2c831799f454600580431917ee5687cc0ff54f678340f1d2da820a4062a3d7ab1509919fe161800c82d773eea5f51c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f1ea381-dde4-457a-b7b0-b30c7a7b2e04.vbs

Filesize
736B

MD5
3c614bda3be2fafc95812a3ffc834db0

SHA1
423941b23654336be80d5888b45c6b247e7f4b1d

SHA256
6032387bb38eddc9336c27bc80417f450723a599cee3a7f2b3082c2c1f17e615

SHA512
7f599aed31866fdb51e407b3796bb45ec2997fbfeb2fd2f1c9ad5a3ebca4de9e375e535b2dd466c5a2196664e336d8333cf58262217eb59385506a36fdaa147b

Download Submit
C:\Windows\DigitalLocker\en-US\services.exe

Filesize
2.2MB

MD5
1421a0505b2c30c75c4d49cce95dd9dd

SHA1
7e25a3d003ea58bd8909a58e0e29a7583f94021d

SHA256
110f74f36fc02d47d512768edc60911fafa15be4334f61be82bd22175daea822

SHA512
26faac396eb1dddb3658c80c67ec6962c0f3e9b82a2066eb8e758dfef2a24d2ece9358412b0b4688ed57b8b734805f461d945a5ed851f291c909543692ea2bcc

Download Submit
C:\Windows\Web\Wallpaper\lsass.exe

Filesize
2.2MB

MD5
fe73cd825c1a329670b9617e968cf1cc

SHA1
80acb9b879fea6ecb1263bdfe20e6cb2615afe8c

SHA256
2f2af3d2e42e5ab96d8be811fec71c656604c374bf46fdd47643b7b80da37742

SHA512
07e32b8175f98f5660a64c7e7e664619543faf7247ac1223eb87b11e72ee3cfa285f386e32575b3bfcfcd0cacdbb7f866dc34281420e6831fe8c7549f6917069

Download Submit
memory/748-27-0x000000001C5C0000-0x000000001C5CE000-memory.dmp

Filesize
56KB

Download
memory/748-24-0x000000001BD80000-0x000000001BD8A000-memory.dmp

Filesize
40KB

Download
memory/748-13-0x00000000033A0000-0x00000000033AA000-memory.dmp

Filesize
40KB

Download
memory/748-14-0x0000000003410000-0x000000000341C000-memory.dmp

Filesize
48KB

Download
memory/748-15-0x0000000003420000-0x0000000003428000-memory.dmp

Filesize
32KB

Download
memory/748-16-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/748-17-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/748-19-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/748-20-0x000000001C8E0000-0x000000001CE08000-memory.dmp

Filesize
5.2MB

Download
memory/748-21-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/748-22-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/748-23-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/748-28-0x000000001C610000-0x000000001C61C000-memory.dmp

Filesize
48KB

Download
memory/748-0-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/748-29-0x000000001C620000-0x000000001C628000-memory.dmp

Filesize
32KB

Download
memory/748-31-0x000000001C630000-0x000000001C63C000-memory.dmp

Filesize
48KB

Download
memory/748-30-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-26-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

Filesize
32KB

Download
memory/748-25-0x000000001BD90000-0x000000001BD9E000-memory.dmp

Filesize
56KB

Download
memory/748-12-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/748-34-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-11-0x0000000003390000-0x0000000003398000-memory.dmp

Filesize
32KB

Download
memory/748-10-0x0000000003220000-0x000000000322C000-memory.dmp

Filesize
48KB

Download
memory/748-7-0x0000000001800000-0x0000000001808000-memory.dmp

Filesize
32KB

Download
memory/748-8-0x0000000001960000-0x0000000001970000-memory.dmp

Filesize
64KB

Download
memory/748-154-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/748-9-0x0000000003370000-0x0000000003386000-memory.dmp

Filesize
88KB

Download
memory/748-6-0x00000000033C0000-0x0000000003410000-memory.dmp

Filesize
320KB

Download
memory/748-177-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-250-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-262-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-5-0x0000000003350000-0x000000000336C000-memory.dmp

Filesize
112KB

Download
memory/748-4-0x0000000001790000-0x000000000179E000-memory.dmp

Filesize
56KB

Download
memory/748-3-0x0000000001780000-0x000000000178E000-memory.dmp

Filesize
56KB

Download
memory/748-2-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/748-1-0x0000000000DB0000-0x0000000000FDE000-memory.dmp

Filesize
2.2MB

Download
memory/2216-286-0x000000001D1F0000-0x000000001D202000-memory.dmp

Filesize
72KB

Download