dcrat | 182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Size

1.5MB
MD5

6e727ca86bf17b8eb1d83e3e7a3bb202
SHA1

956d2b768d3842b3e579a45c4b53c9d7ea805833
SHA256

182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6
SHA512

6176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\", \"C:\\PerfLogs\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\", \"C:\\Windows\\System32\\mblctr\\dllhost.exe\", \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\fwcfg\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1708	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1708	schtasks.exe	83

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2400	powershell.exe
4704	powershell.exe
3000	powershell.exe
4088	powershell.exe
4464	powershell.exe
4572	powershell.exe
3684	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

pid	Process
3248	dllhost.exe
3216	dllhost.exe
4644	dllhost.exe
1736	dllhost.exe
4564	dllhost.exe
908	dllhost.exe
3472	dllhost.exe
3016	dllhost.exe
2132	dllhost.exe
4204	dllhost.exe
3188	dllhost.exe
5100	dllhost.exe
4856	dllhost.exe
4928	dllhost.exe
3816	dllhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fwcfg\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mblctr\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fwcfg\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Windows.Devices.Midi\\dwm.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mblctr\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeClickToRun.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\fwcfg\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\Windows.Devices.Midi\6cb0b6c459d5d3	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\mblctr\5940a34987c991	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\fwcfg\RCXA1BF.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\mblctr\RCXA84A.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\mblctr\dllhost.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\fwcfg\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\fwcfg\6cb0b6c459d5d3	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\Windows.Devices.Midi\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\System32\mblctr\dllhost.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Midi\RCXA5C8.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Midi\dwm.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e6c9b481da804f	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXACD0.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\RCXA3C4.tmp	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1048	schtasks.exe
968	schtasks.exe
5108	schtasks.exe
5036	schtasks.exe
2112	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
3000	powershell.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
4704	powershell.exe
3684	powershell.exe
4572	powershell.exe
4464	powershell.exe
4088	powershell.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2400	powershell.exe
3684	powershell.exe
4572	powershell.exe
3000	powershell.exe
4704	powershell.exe
4088	powershell.exe
4464	powershell.exe
3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
2400	powershell.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe
3248	dllhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	3248	dllhost.exe
Token: SeDebugPrivilege	3216	dllhost.exe
Token: SeDebugPrivilege	4644	dllhost.exe
Token: SeDebugPrivilege	1736	dllhost.exe
Token: SeDebugPrivilege	4564	dllhost.exe
Token: SeDebugPrivilege	908	dllhost.exe
Token: SeDebugPrivilege	3472	dllhost.exe
Token: SeDebugPrivilege	3016	dllhost.exe
Token: SeDebugPrivilege	2132	dllhost.exe
Token: SeDebugPrivilege	4204	dllhost.exe
Token: SeDebugPrivilege	3188	dllhost.exe
Token: SeDebugPrivilege	5100	dllhost.exe
Token: SeDebugPrivilege	4856	dllhost.exe
Token: SeDebugPrivilege	4928	dllhost.exe
Token: SeDebugPrivilege	3816	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 2400	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	91
PID 3968 wrote to memory of 2400	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	91
PID 3968 wrote to memory of 4704	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	92
PID 3968 wrote to memory of 4704	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	92
PID 3968 wrote to memory of 3000	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	93
PID 3968 wrote to memory of 3000	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	93
PID 3968 wrote to memory of 4088	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	94
PID 3968 wrote to memory of 4088	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	94
PID 3968 wrote to memory of 4464	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	95
PID 3968 wrote to memory of 4464	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	95
PID 3968 wrote to memory of 4572	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	96
PID 3968 wrote to memory of 4572	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	96
PID 3968 wrote to memory of 3684	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	97
PID 3968 wrote to memory of 3684	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	97
PID 3968 wrote to memory of 3248	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	105
PID 3968 wrote to memory of 3248	3968	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe	105
PID 3248 wrote to memory of 968	3248	dllhost.exe	106
PID 3248 wrote to memory of 968	3248	dllhost.exe	106
PID 3248 wrote to memory of 3424	3248	dllhost.exe	107
PID 3248 wrote to memory of 3424	3248	dllhost.exe	107
PID 968 wrote to memory of 3216	968	WScript.exe	108
PID 968 wrote to memory of 3216	968	WScript.exe	108
PID 3216 wrote to memory of 1196	3216	dllhost.exe	109
PID 3216 wrote to memory of 1196	3216	dllhost.exe	109
PID 3216 wrote to memory of 2768	3216	dllhost.exe	110
PID 3216 wrote to memory of 2768	3216	dllhost.exe	110
PID 1196 wrote to memory of 4644	1196	WScript.exe	122
PID 1196 wrote to memory of 4644	1196	WScript.exe	122
PID 4644 wrote to memory of 4400	4644	dllhost.exe	124
PID 4644 wrote to memory of 4400	4644	dllhost.exe	124
PID 4644 wrote to memory of 1948	4644	dllhost.exe	125
PID 4644 wrote to memory of 1948	4644	dllhost.exe	125
PID 4400 wrote to memory of 1736	4400	WScript.exe	128
PID 4400 wrote to memory of 1736	4400	WScript.exe	128
PID 1736 wrote to memory of 3480	1736	dllhost.exe	129
PID 1736 wrote to memory of 3480	1736	dllhost.exe	129
PID 1736 wrote to memory of 2020	1736	dllhost.exe	130
PID 1736 wrote to memory of 2020	1736	dllhost.exe	130
PID 3480 wrote to memory of 4564	3480	WScript.exe	131
PID 3480 wrote to memory of 4564	3480	WScript.exe	131
PID 4564 wrote to memory of 4288	4564	dllhost.exe	132
PID 4564 wrote to memory of 4288	4564	dllhost.exe	132
PID 4564 wrote to memory of 3952	4564	dllhost.exe	133
PID 4564 wrote to memory of 3952	4564	dllhost.exe	133
PID 4288 wrote to memory of 908	4288	WScript.exe	134
PID 4288 wrote to memory of 908	4288	WScript.exe	134
PID 908 wrote to memory of 1676	908	dllhost.exe	135
PID 908 wrote to memory of 1676	908	dllhost.exe	135
PID 908 wrote to memory of 3608	908	dllhost.exe	136
PID 908 wrote to memory of 3608	908	dllhost.exe	136
PID 1676 wrote to memory of 3472	1676	WScript.exe	138
PID 1676 wrote to memory of 3472	1676	WScript.exe	138
PID 3472 wrote to memory of 3420	3472	dllhost.exe	139
PID 3472 wrote to memory of 3420	3472	dllhost.exe	139
PID 3472 wrote to memory of 4596	3472	dllhost.exe	140
PID 3472 wrote to memory of 4596	3472	dllhost.exe	140
PID 3420 wrote to memory of 3016	3420	WScript.exe	141
PID 3420 wrote to memory of 3016	3420	WScript.exe	141
PID 3016 wrote to memory of 1256	3016	dllhost.exe	142
PID 3016 wrote to memory of 1256	3016	dllhost.exe	142
PID 3016 wrote to memory of 1640	3016	dllhost.exe	143
PID 3016 wrote to memory of 1640	3016	dllhost.exe	143
PID 1256 wrote to memory of 2132	1256	WScript.exe	144
PID 1256 wrote to memory of 2132	1256	WScript.exe	144

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe
"C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fwcfg\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Devices.Midi\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mblctr\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\PerfLogs\dllhost.exe
  "C:\PerfLogs\dllhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3248
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f92c6e0-6d53-4ed0-88b7-eac4b29d5c65.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\PerfLogs\dllhost.exe
      C:\PerfLogs\dllhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\885ce6ed-5f92-42ac-bc44-02c9dbab7594.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eef9aa16-204b-4814-a834-0dde5667a416.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af6ab6a8-528d-441c-bddf-ad08a68b1f71.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3bcfa1-ee11-4a97-8f24-7382e1b5b5b7.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b9527a-a886-4b75-ac8d-839a29033ec3.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ce2f9c-b869-4446-94a0-6c3695f6a237.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9319944-488b-457a-97b8-e1b338282ce5.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\668159ff-0bd6-4d5d-a04c-29acf9d325a5.vbs"
        19⤵
        
        PID:4584
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f459856-bf5e-4492-a3e9-890345def5cb.vbs"
        21⤵
        
        PID:4440
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\425fdd4d-6024-4c6a-b5ce-558e98778029.vbs"
        23⤵
        
        PID:3892
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cdd5bbf-6d07-4af7-ae16-c5a0cda7b4bf.vbs"
        25⤵
        
        PID:3460
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b94b227-9ce5-4d54-b022-1f578311f186.vbs"
        27⤵
        
        PID:3476
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a0553c-310e-45e2-8cd7-ed3761820b00.vbs"
        29⤵
        
        PID:1616
        
        C:\PerfLogs\dllhost.exe
        
        C:\PerfLogs\dllhost.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d69cfc9-c890-411a-8ca9-c7fad900211e.vbs"
        31⤵
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aec75c49-05f6-4677-a63e-406573756ac7.vbs"
        31⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529726f4-9b20-4a50-bedb-438857cc1aff.vbs"
        29⤵
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0668e634-6246-4203-adb6-25d4eac76702.vbs"
        27⤵
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7431edff-5339-40c5-a7cd-f4df6e29216b.vbs"
        25⤵
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd7fbc7-f64c-4a82-9692-9711c11b95d8.vbs"
        23⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf174cfb-6a0c-4e79-bb41-55318452e292.vbs"
        21⤵
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c42abf-08f5-4a5b-8112-9bde8f756661.vbs"
        19⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d740a85-3061-4d5f-91b5-124588005119.vbs"
        17⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604eb722-517c-43bb-89e3-31f8d5250865.vbs"
        15⤵
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce4eb3be-96f9-4a6e-8174-0a44c66e086e.vbs"
        13⤵
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f82794b-cfb9-4da6-97bb-d5e635f1e82e.vbs"
        11⤵
        
        PID:3952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d06f0e49-b3e1-4b66-a89f-7ffc34eba301.vbs"
        9⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f8356a-1b5a-430a-92ef-63eabf05d45a.vbs"
        7⤵
        
        PID:1948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce22ef15-1401-4c8a-941c-75ef6e6df9ef.vbs"
        5⤵
        
        PID:2768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c37c7e-4abb-4d9c-bae6-44cf79b6c660.vbs"
    3⤵
    PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\fwcfg\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Devices.Midi\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\mblctr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\dllhost.exe

Filesize
1.5MB

MD5
6e727ca86bf17b8eb1d83e3e7a3bb202

SHA1
956d2b768d3842b3e579a45c4b53c9d7ea805833

SHA256
182827f40f252e6e7262555cdad9764bbc75da40e90512b987546608fca94be6

SHA512
6176e666c50d3a4c88a04dba49a9a7d44041402bb83d5f9a414c52737a41466624f0fa926b2b5c9137540d012b7dfd683151cb1a4a74e1ae42e340d846efe8a2

Download Submit
C:\PerfLogs\dllhost.exe

Filesize
1.5MB

MD5
db28ca18b6faa8ff80f31b8d04a3438a

SHA1
fc8f3c9816414a69614be017f07883fb73b9ac2a

SHA256
644ccb3d976e0fea07a933f74750e3197dd00fc6f77871e350436dd7fa482907

SHA512
6d00c8b4f723431071d802ebfe92f7dc1b56077ca8efee56fc26c97e3470a41c8cdb80231085259c0c659e5a1b47bc3277392f91bb53cb1d6de08b375424bab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\04b9527a-a886-4b75-ac8d-839a29033ec3.vbs

Filesize
698B

MD5
d56cd49b7454598b045353338a9bb0df

SHA1
7462d14f37a807dc8b6e3c4c7dd44efcf47e97ee

SHA256
eb8c3ec30172b6b1fd9c39bfc1f7b474b5c42daaeb5dd708e9b3dbde1c763b6b

SHA512
f469c4f7042e4eeab5d2a446ddea01080860a2e74792633d85dc748f25b6de322340f7ca4ef1967ad7242bce78337b3fd2cae55d2d29713cfaf49fe6d848b1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cdd5bbf-6d07-4af7-ae16-c5a0cda7b4bf.vbs

Filesize
699B

MD5
5874f4579bf9f6b271f1d146ad420199

SHA1
25c5760cabda533aef90277c0575c9eb290491b6

SHA256
61996f40a5d75ab7071da6844de3bdd3551f6e495060be9384bd5ca02a9d24de

SHA512
cd7a4ad784838c60f1f07b9bd9c83dfdd94ab5d09ed843e760503b9b8a9a14a39390ab797d753c09d5f6620f4006330ae23dcf7910ba98339a915b6017cf62b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\425fdd4d-6024-4c6a-b5ce-558e98778029.vbs

Filesize
699B

MD5
55df5cf594c03ad85cb06bcee59e4abb

SHA1
362c6d2ac4eda2f039d84fbfbf57b372bcdfff1a

SHA256
2949bd37364499cb86ad9fee9ad923d9ba8d2123d62efc5816aac42115748cc8

SHA512
fdfe1675461c956d801a7fa6f5df067c23b5af7b85eb3d34da8d4c14b3a9214794df38c5b41e99ee40d9e0f235b6d10c3ffc91e348b25c1cf13e302b0aecf102

Download Submit
C:\Users\Admin\AppData\Local\Temp\668159ff-0bd6-4d5d-a04c-29acf9d325a5.vbs

Filesize
699B

MD5
4280007d2afc0da4a7238d0cf165c7ae

SHA1
f3ee55d34220a27485c501dc74317ea18b6f13d6

SHA256
86924670622034335eee197acefab4318e764bc9f4d5fe30f664bff8b8742aa1

SHA512
5f4ff84e976903973dadbfe4817590f831c3e322d788450257e2af9d2be42b82846f8dd2a521e79061077a675dc97dfc1e887d4cef73c81c887e9188953886fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f459856-bf5e-4492-a3e9-890345def5cb.vbs

Filesize
699B

MD5
8f93ce19a1b354d623ee755a310ee83d

SHA1
dbae4bc70801acb0e937693536d581802dd003ca

SHA256
de5894c6e224df4add88982dba0434ed172bd05dfbc67ba2d984f11ab00cd6e1

SHA512
c01a7215ad1ed88c5b2c9de6ade7939a3c718812f58fc1204aabefac50d5c9f208a10573c0627eb3c9b29d8bdd886fc6db541ccd1a97556876bafa9e916d66a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\78c37c7e-4abb-4d9c-bae6-44cf79b6c660.vbs

Filesize
475B

MD5
74ce0b8fc07fd993c1b4cf026d674c44

SHA1
3beeca655a2830e243ef9ba2139c76bb0cb719ab

SHA256
7765d984cc464985a56e8914adfb47d67b77ed3a5794e63e5e66404c1c7801f9

SHA512
3a4eb6114f528b00dae7590b5148151c2804c163a394752849a3727fec008b4c17b4fdb7d36dea417468c2106e97cdd96ed9be3bba427717ba99c76e6c72fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b94b227-9ce5-4d54-b022-1f578311f186.vbs

Filesize
699B

MD5
7e03ff199feb96a6ad46798c4f7e43f7

SHA1
9b30168348893c23b352953fcdb2edcae4cc9724

SHA256
2ace3502ee3224cbdd03feb126e2e5f7f1f1b0ed99be4f080319bd9c24c0ce9b

SHA512
d6461146848e64f9c2ddbd5e7d3bef762e17d80026b4de7da6012fd5a6d41208816063be4a4f0315e6f6802e2a05c894493a333b01a7a07de30ec956932718ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f92c6e0-6d53-4ed0-88b7-eac4b29d5c65.vbs

Filesize
699B

MD5
8a416a5ab51fdd78395c180db9365875

SHA1
1932f8b2a74c8bb7a1bfc6cff676753b30b68588

SHA256
079bc177f026664ab74304f7329a82443752f57e634b2d36e0850e50d9f3f8cb

SHA512
cb295d7a0a941f721a0eeb91cae47074231513e6aab2b724776a4102bf546d8a8af3c9cb20a51faadc20be8e9d0c9547fdf09ed3e3a278c2b6df7331de39bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\885ce6ed-5f92-42ac-bc44-02c9dbab7594.vbs

Filesize
699B

MD5
3f910256b0d3c5c56ab3c3fb0745d862

SHA1
5134585183767babf3f641985993826711c49eb1

SHA256
35b740e199575515d795e2f2aafe45b1dcd9b50815d4dffa84b66382cdf84eed

SHA512
da38681e5e2f3767360cd6185b4078e01b04179e7dcae9a81ea1b18048608a9639c78008348a41a7c7929e71b9fedd03c34df608e9bc655ab5a5cafcfb19cd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqy5sdye.tor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7ce2f9c-b869-4446-94a0-6c3695f6a237.vbs

Filesize
699B

MD5
be98d3d9b9fd1148268b86797b1ffe9b

SHA1
cfb52f84e38e3642710a9b0e5a7aa1fc073a744b

SHA256
178388e62d166423ebb9d90c673c71d96aed0637c7e5b3849fdf14de8b3e85bb

SHA512
fefbb62e52241a903add14526cfd1df39531906f0ab624c6fe9d4f6a578f62dfbad2e8ba849dcbe5f9dd6cb594b5a69dfab8d7d54b95677b074a2118db8c3a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\af6ab6a8-528d-441c-bddf-ad08a68b1f71.vbs

Filesize
699B

MD5
992b7b318ff9098a4fa3769b37a20c95

SHA1
214ad535f5fc5fc6b1308c909a6e433f37917d53

SHA256
e830322128c00446f7f43c9f2b79e9c7d5ccf5f2a49349214ee9f9fcdf4934e7

SHA512
ddece9163c6a4d5905eced62493a1b1b97143aefa54c4362c54843e246052a5fb91494ab84cc0e0c70ca70d8e85c87cfc33691dd3c0e89c5c391b97741632b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4a0553c-310e-45e2-8cd7-ed3761820b00.vbs

Filesize
699B

MD5
46222a5a8d643996967dc4480fa0678f

SHA1
76255303dac841667b91f8ec6969c7f9a3e7dc18

SHA256
f87ad2774e18d3bafdc6c4b863a9876b71f13b3f9f6ef5e054e8392bff88c851

SHA512
7924b7295288a38d33df8b221b8a95d903463b1447edb19618cae4266cc193338566acb5048c0a3116786a0207557e3597c35b24e0ed76fe3d53584a12c26946

Download Submit
C:\Users\Admin\AppData\Local\Temp\eef9aa16-204b-4814-a834-0dde5667a416.vbs

Filesize
699B

MD5
df9fafbaddb3666109a9bc001fce2fe1

SHA1
4ac240702f5ae0a551877f2a00faa12cf2556197

SHA256
a01edf247d35b3cee403daeadf8722b86ed1e5b56d3268e3f3aec75e8d9c67ee

SHA512
4972e24c3e2b22d80bd05e7f9a3389b8e1c84cbddf24dd2fcefe80c60788a97903b7221f836487ccb48796d2f306c3229180d535db24e8b556d3261a030669ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9319944-488b-457a-97b8-e1b338282ce5.vbs

Filesize
699B

MD5
bdf6e4e50c2c2c7dbfa4fe464fa7642b

SHA1
2ff641175115a2fb1ff8850e2d7f01d9501e9328

SHA256
eb8581891d68710a77db8f2c4cf08533423f614e1099525526e7168bfc5cfb03

SHA512
bcabe2c659f5175c7fc80fb3a1ffaba4d47376087f41dba57f744d4650e7f1483c56e30a62bfa7c30ce8f4e76abac196064211c4cdf862697d01479e0af0dcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb3bcfa1-ee11-4a97-8f24-7382e1b5b5b7.vbs

Filesize
699B

MD5
e70750eb2700b64e00dee5203c288d6c

SHA1
80618fb5a49579493ca6bb20c5fcd6a9a285bb8b

SHA256
28bf279a2d9a516826678b969ebb9a081b5f45fb3518cae5f318c1a2bb4235b7

SHA512
6cb759c07fc2bf3513c28d7e3c4afe558697305c0262cff8cbec7d6adec0f244676df5cd112f9a4a004c478dfc9ec3196962af946dc8ed3af3b5f7bcdbab5812

Download Submit
memory/1736-231-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/2132-289-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/3000-108-0x000002A178F90000-0x000002A178FB2000-memory.dmp

Filesize
136KB

Download
memory/3016-277-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/3216-208-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/3248-189-0x0000000001730000-0x0000000001742000-memory.dmp

Filesize
72KB

Download
memory/3248-178-0x0000000000DF0000-0x0000000000F6E000-memory.dmp

Filesize
1.5MB

Download
memory/3968-14-0x0000000003430000-0x000000000343C000-memory.dmp

Filesize
48KB

Download
memory/3968-11-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/3968-21-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

Filesize
32KB

Download
memory/3968-20-0x000000001BE60000-0x000000001BE6C000-memory.dmp

Filesize
48KB

Download
memory/3968-18-0x000000001BE50000-0x000000001BE58000-memory.dmp

Filesize
32KB

Download
memory/3968-17-0x000000001BE40000-0x000000001BE4C000-memory.dmp

Filesize
48KB

Download
memory/3968-16-0x0000000003450000-0x0000000003458000-memory.dmp

Filesize
32KB

Download
memory/3968-25-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/3968-15-0x0000000003440000-0x000000000344A000-memory.dmp

Filesize
40KB

Download
memory/3968-13-0x0000000003420000-0x000000000342A000-memory.dmp

Filesize
40KB

Download
memory/3968-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

Filesize
8KB

Download
memory/3968-12-0x0000000003410000-0x0000000003418000-memory.dmp

Filesize
32KB

Download
memory/3968-1-0x0000000000FE0000-0x000000000115E000-memory.dmp

Filesize
1.5MB

Download
memory/3968-24-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/3968-10-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/3968-9-0x00000000033E0000-0x00000000033EC000-memory.dmp

Filesize
48KB

Download
memory/3968-179-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/3968-8-0x00000000033D0000-0x00000000033D8000-memory.dmp

Filesize
32KB

Download
memory/3968-6-0x00000000019F0000-0x00000000019FA000-memory.dmp

Filesize
40KB

Download
memory/3968-7-0x00000000033C0000-0x00000000033CC000-memory.dmp

Filesize
48KB

Download
memory/3968-5-0x0000000001A00000-0x0000000001A0C000-memory.dmp

Filesize
48KB

Download
memory/3968-3-0x00000000019C0000-0x00000000019C8000-memory.dmp

Filesize
32KB

Download
memory/3968-4-0x00000000019E0000-0x00000000019F2000-memory.dmp

Filesize
72KB

Download
memory/3968-2-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Filesize
10.8MB

Download
memory/4564-243-0x000000001ADA0000-0x000000001ADB2000-memory.dmp

Filesize
72KB

Download