dcrat | ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Size

1.5MB
MD5

a85fc237c6a4ce58422363d3ab559e20
SHA1

581ad77fe54d760329df7be48163a65ce030b179
SHA256

ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474
SHA512

0345f6998a7c0f77264e7dc6d984bbbf4a08534c00a5bcedf25534c3dde1d2987394338288e192f251cdb06a27b26b582d50e3a0f7c3bfddfa6c5da395f1f19f
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		180	schtasks.exe
		436	schtasks.exe
		1976	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
		1012	schtasks.exe
		2008	schtasks.exe
		1844	schtasks.exe
		1364	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\", \"C:\\Windows\\win\\sysmon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\TextInputHost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Start Menu\\dllhost.exe\", \"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	180	3432	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3432	schtasks.exe	82

UAC bypass 3 TTPs 45 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
1816	powershell.exe
1072	powershell.exe
1148	powershell.exe
4852	powershell.exe
4416	powershell.exe
2500	powershell.exe
1280	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 14 IoCs

pid	Process
1844	dllhost.exe
1612	dllhost.exe
4056	dllhost.exe
3304	dllhost.exe
4860	dllhost.exe
2492	dllhost.exe
1160	dllhost.exe
1748	dllhost.exe
1992	dllhost.exe
4428	dllhost.exe
4384	dllhost.exe
4728	dllhost.exe
3196	dllhost.exe
1012	dllhost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Libraries\\TextInputHost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dhcpcore\\winlogon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Libraries\\TextInputHost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Start Menu\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NgcCtnrGidsHandler\\dllhost.exe\""	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dhcpcore\RCXA6E1.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\dhcpcore\winlogon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\NgcCtnrGidsHandler\RCXABE4.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\dhcpcore\winlogon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\dhcpcore\cc11b995f2a76d	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\System32\NgcCtnrGidsHandler\5940a34987c991	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win\sysmon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\win\sysmon.exe	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File created	C:\Windows\win\121e5b5079f7c0	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
File opened for modification	C:\Windows\win\RCXA962.tmp	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
180	schtasks.exe
436	schtasks.exe
1976	schtasks.exe
1012	schtasks.exe
2008	schtasks.exe
1844	schtasks.exe
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1148	powershell.exe
1280	powershell.exe
4852	powershell.exe
2804	powershell.exe
1816	powershell.exe
4416	powershell.exe
1072	powershell.exe
1148	powershell.exe
1148	powershell.exe
1072	powershell.exe
1072	powershell.exe
2500	powershell.exe
2500	powershell.exe
1280	powershell.exe
1280	powershell.exe
2804	powershell.exe
2804	powershell.exe
2500	powershell.exe
4852	powershell.exe
4852	powershell.exe
1816	powershell.exe
1816	powershell.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
4416	powershell.exe
4416	powershell.exe
1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe
1844	dllhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1844	dllhost.exe
Token: SeDebugPrivilege	1612	dllhost.exe
Token: SeDebugPrivilege	4056	dllhost.exe
Token: SeDebugPrivilege	3304	dllhost.exe
Token: SeDebugPrivilege	4860	dllhost.exe
Token: SeDebugPrivilege	2492	dllhost.exe
Token: SeDebugPrivilege	1160	dllhost.exe
Token: SeDebugPrivilege	1748	dllhost.exe
Token: SeDebugPrivilege	1992	dllhost.exe
Token: SeDebugPrivilege	4428	dllhost.exe
Token: SeDebugPrivilege	4384	dllhost.exe
Token: SeDebugPrivilege	4728	dllhost.exe
Token: SeDebugPrivilege	3196	dllhost.exe
Token: SeDebugPrivilege	1012	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2500	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	90
PID 1704 wrote to memory of 2500	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	90
PID 1704 wrote to memory of 1280	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	91
PID 1704 wrote to memory of 1280	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	91
PID 1704 wrote to memory of 2804	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	92
PID 1704 wrote to memory of 2804	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	92
PID 1704 wrote to memory of 1816	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	93
PID 1704 wrote to memory of 1816	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	93
PID 1704 wrote to memory of 1072	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	94
PID 1704 wrote to memory of 1072	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	94
PID 1704 wrote to memory of 1148	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	95
PID 1704 wrote to memory of 1148	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	95
PID 1704 wrote to memory of 4416	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	96
PID 1704 wrote to memory of 4416	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	96
PID 1704 wrote to memory of 4852	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	97
PID 1704 wrote to memory of 4852	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	97
PID 1704 wrote to memory of 1844	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	106
PID 1704 wrote to memory of 1844	1704	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe	106
PID 1844 wrote to memory of 3464	1844	dllhost.exe	107
PID 1844 wrote to memory of 3464	1844	dllhost.exe	107
PID 1844 wrote to memory of 2328	1844	dllhost.exe	108
PID 1844 wrote to memory of 2328	1844	dllhost.exe	108
PID 3464 wrote to memory of 1612	3464	WScript.exe	115
PID 3464 wrote to memory of 1612	3464	WScript.exe	115
PID 1612 wrote to memory of 2316	1612	dllhost.exe	116
PID 1612 wrote to memory of 2316	1612	dllhost.exe	116
PID 1612 wrote to memory of 1704	1612	dllhost.exe	117
PID 1612 wrote to memory of 1704	1612	dllhost.exe	117
PID 2316 wrote to memory of 4056	2316	WScript.exe	118
PID 2316 wrote to memory of 4056	2316	WScript.exe	118
PID 4056 wrote to memory of 4644	4056	dllhost.exe	120
PID 4056 wrote to memory of 4644	4056	dllhost.exe	120
PID 4056 wrote to memory of 4752	4056	dllhost.exe	121
PID 4056 wrote to memory of 4752	4056	dllhost.exe	121
PID 4644 wrote to memory of 3304	4644	WScript.exe	123
PID 4644 wrote to memory of 3304	4644	WScript.exe	123
PID 3304 wrote to memory of 2280	3304	dllhost.exe	124
PID 3304 wrote to memory of 2280	3304	dllhost.exe	124
PID 3304 wrote to memory of 4212	3304	dllhost.exe	125
PID 3304 wrote to memory of 4212	3304	dllhost.exe	125
PID 2280 wrote to memory of 4860	2280	WScript.exe	126
PID 2280 wrote to memory of 4860	2280	WScript.exe	126
PID 4860 wrote to memory of 4112	4860	dllhost.exe	127
PID 4860 wrote to memory of 4112	4860	dllhost.exe	127
PID 4860 wrote to memory of 372	4860	dllhost.exe	128
PID 4860 wrote to memory of 372	4860	dllhost.exe	128
PID 4112 wrote to memory of 2492	4112	WScript.exe	129
PID 4112 wrote to memory of 2492	4112	WScript.exe	129
PID 2492 wrote to memory of 2624	2492	dllhost.exe	130
PID 2492 wrote to memory of 2624	2492	dllhost.exe	130
PID 2492 wrote to memory of 2544	2492	dllhost.exe	131
PID 2492 wrote to memory of 2544	2492	dllhost.exe	131
PID 2624 wrote to memory of 1160	2624	WScript.exe	132
PID 2624 wrote to memory of 1160	2624	WScript.exe	132
PID 1160 wrote to memory of 3636	1160	dllhost.exe	133
PID 1160 wrote to memory of 3636	1160	dllhost.exe	133
PID 1160 wrote to memory of 2576	1160	dllhost.exe	134
PID 1160 wrote to memory of 2576	1160	dllhost.exe	134
PID 3636 wrote to memory of 1748	3636	WScript.exe	135
PID 3636 wrote to memory of 1748	3636	WScript.exe	135
PID 1748 wrote to memory of 2160	1748	dllhost.exe	136
PID 1748 wrote to memory of 2160	1748	dllhost.exe	136
PID 1748 wrote to memory of 4856	1748	dllhost.exe	137
PID 1748 wrote to memory of 4856	1748	dllhost.exe	137

System policy modification 1 TTPs 45 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe
"C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Start Menu\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dhcpcore\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\win\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
  "C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70e3dede-d2e5-41d5-a25e-817faa9d4cca.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
      C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef16dfb0-d831-4edd-9ad5-a93ddb1aab5c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f313dad-555e-4498-acdf-fa99a59a2d51.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63b6fbbb-a88b-4056-b300-ed2e0d8c5b7b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d2b42f6-18d5-457b-8069-e52954cb5db9.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20d152d3-a594-44a4-a1fd-b4cf4ca68efc.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14561e24-5730-42b1-899d-6ab5ff9c4cbe.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd59fd5-e615-4b2c-85e8-dcc54c219d36.vbs"
        17⤵
        
        PID:2160
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d1e343c-acb5-4517-b90f-6b353397a3ab.vbs"
        19⤵
        
        PID:408
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de0c1d6-ad2a-40da-a01d-fa0a5887f715.vbs"
        21⤵
        
        PID:3260
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d479b1b-154e-4691-9b68-d07c49ee4005.vbs"
        23⤵
        
        PID:4692
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a68ca36-a805-4fd9-b06b-66ddeaa2d543.vbs"
        25⤵
        
        PID:1208
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c6f0745-e667-428f-baeb-c8506652e8c9.vbs"
        27⤵
        
        PID:1716
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        
        C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04720544-76cf-4678-afb1-379361436192.vbs"
        29⤵
        
        PID:3160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e98a63-4c65-46c7-8be4-cefab00aa4be.vbs"
        29⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d1c5cc-c841-443a-af73-d289da58b513.vbs"
        27⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a41437e-5a00-403f-89a8-6dc8a8181377.vbs"
        25⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\622abe3c-b42b-4c3c-af21-ba1e65f2e408.vbs"
        23⤵
        
        PID:3916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc331156-844f-4e8a-9ab8-02c639451af2.vbs"
        21⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11507365-363f-4a45-a352-a82042b103ae.vbs"
        19⤵
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324179a4-10ce-42d3-9206-7afdcf405857.vbs"
        17⤵
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d5957ac-98a9-48ae-821b-5009d8c4a03e.vbs"
        15⤵
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf47f80-5b66-4717-bd29-b7ff8501f0f6.vbs"
        13⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\548e2478-b02d-49bb-b38e-9a32b638a26a.vbs"
        11⤵
        
        PID:372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1aef84a-e492-4c38-ab29-559141124c13.vbs"
        9⤵
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\883f33bb-18b6-49be-8767-f507c25044d3.vbs"
        7⤵
        
        PID:4752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efb578be-8b95-4461-8884-a1a87a3e1f1e.vbs"
        5⤵
        
        PID:1704
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27221d7b-a705-485d-9e20-c742ec57bfd3.vbs"
    3⤵
    PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcore\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\win\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\NgcCtnrGidsHandler\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\04720544-76cf-4678-afb1-379361436192.vbs

Filesize
726B

MD5
cae0cac2752700c8023c8089511bd2ef

SHA1
72dce03c6fdba431b4cde9837fcab9bf481fd029

SHA256
0260ba7f8659e7a0047427c67e6bf0bb14b9e0f317e394a964ae279935e02aac

SHA512
5d04b7671d2b9c587d4c1c0eb75833b05a0100077053cca1e218bd4ca47d2df49d31b70f15a10a0da74834b003ebc5030cd14f375f47fb313326c4088a7c1adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\14561e24-5730-42b1-899d-6ab5ff9c4cbe.vbs

Filesize
726B

MD5
793c565cfacb76ecb4988386d6453b7f

SHA1
6b4f460d227e80f28f0a5c983421751922442afd

SHA256
3892d954d575dd44fa983736a5da9de8c1b8357d068ba9a458c3a5cc9c39727a

SHA512
585685dcaceb9174a314e4e91e1e02765e816053f89c41f1bed91264327ea98836730f4bd6d65f57d36ddde5202a23be61745dd4a469e070e85ee4233900c06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bd59fd5-e615-4b2c-85e8-dcc54c219d36.vbs

Filesize
726B

MD5
63a726476e756dbb1e5ee583837e19fe

SHA1
4ad285d969669c91d85f2ffb0a754c72ca9ab484

SHA256
4b566fe688eebbe36927dcd45e9441469d3ae677bd21ce227da13b5f5cbf8d1a

SHA512
ff4f9b3cd21d2192afe89fd9941694ee97e26a18c3e7fc3994fec6388a2a000482ea60398f9666c3f88790b723fa71b42f81088cdc18f4302dd2cc65f5afce75

Download Submit
C:\Users\Admin\AppData\Local\Temp\20d152d3-a594-44a4-a1fd-b4cf4ca68efc.vbs

Filesize
726B

MD5
7654b7a2a93a54c42d8411e3a1e185e7

SHA1
f704c76ef2e7093a532730d0182a93ce7ebdb8b5

SHA256
a6b94a6b9009c5bc064999f905d9a689dcf8af987a85c68ef29f344272afdc09

SHA512
90fdf8a7bc159fd7eadda726261ab04b3db607fdf9d93930d02697b9a30578cf99a5482576d373d5be3b29223c9479f9f24dcacbf1606d391add111a584beb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\27221d7b-a705-485d-9e20-c742ec57bfd3.vbs

Filesize
502B

MD5
ea9981b412cadb2b3fb589969eef5300

SHA1
ab827aa3848f2da1ce2eed9e9c620b348060908d

SHA256
a8b6b785c4712576ca8b5d879e4d02e5f9a8909e58ab10b42c3275360d89687c

SHA512
be14107b28c79ddf5503d6ed4d10e1e590f2732c4e9330fe374164b99614059268213844a077a68ca2e5b1487d2e385db3b9c4ea21ea110d7a77ba7d4dadf1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a68ca36-a805-4fd9-b06b-66ddeaa2d543.vbs

Filesize
726B

MD5
599de65a1db7d41d1cc447a2f2a11608

SHA1
75a5e39344c6530efb4528bb33175e1e309a678e

SHA256
f3574fd59300b2e564c32d05b6836e51a7d637b96a35a52b329ff582e03bc220

SHA512
503e0db2b2504c45ca127891cca3be90b8e40bc5027d002f819e86b612900040a1ea2f067593365599b22e14fb1e0351388cf248f2e8439ef7052b7d2d3f5835

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c6f0745-e667-428f-baeb-c8506652e8c9.vbs

Filesize
726B

MD5
5020f84b35c122eb5c6b2ee199a51cb8

SHA1
abcdc92a2beff418b063e0830845cd6308afee8f

SHA256
c7d9eedc5da76540e0f9eee2ef059e276f3bd141bee7807ff70a917b86776e46

SHA512
c1894961c20dc9efcc77e13dd246aae557ec94161d25db0548e1428a51901aaeec60e4100a9ed931bf6d357699397e171c9b9f1a7536ff4cb2be3a5b3757d351

Download Submit
C:\Users\Admin\AppData\Local\Temp\3de0c1d6-ad2a-40da-a01d-fa0a5887f715.vbs

Filesize
726B

MD5
9c9bf30ef6172f52edf07685292b83c1

SHA1
4b769b4e2172440a38976f6eac6fafbfb0e830fc

SHA256
0474ff47d819786bcb2f4610c7d05676997f6054868a9a2e96deb7ef2c0c519d

SHA512
d6371c6590983d0d1b0b3d9312803b4f88e0c07633ac89a64fd30258372ed6c71e8d42e2ba57c9e37dc83ae53cf0fbae2a542c7b616df9567401ab09a9c85cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\63b6fbbb-a88b-4056-b300-ed2e0d8c5b7b.vbs

Filesize
726B

MD5
e651b047bf403e78e6135abdd2452676

SHA1
61e0a374f0a9fc7b8a5a9ae0c8580ee3f175099a

SHA256
adccc870bc32a9271f8878db984171c42360c99ceffd709f2f0341d13c3e80e4

SHA512
bfd5fd5cd028ab70ce91a88cb691fcac346d69ec5c2fcf12d375be74214a9e3f585ed8453cae2e5ad33dbd3ab31341ac06eaf990d2614a718bc3da4acc481a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d1e343c-acb5-4517-b90f-6b353397a3ab.vbs

Filesize
726B

MD5
40d3ec2a98734f3bc28ba6db8027a89d

SHA1
0fd5f03f6e3544d41bb8ef1cbcf733491fbbaeb2

SHA256
5006dabb187f06e2c4a8ad59c7af908093e5538fd3cb2b048ac4931af852a95d

SHA512
86475af51d3bf247c0c73fcec73c933b32a8e51e8fdee17cec06ec04795b9c52d9b47708ebb95dca06f2c2d55a29fbcc1f6c6ada8f7090efad116249cc0d1415

Download Submit
C:\Users\Admin\AppData\Local\Temp\70e3dede-d2e5-41d5-a25e-817faa9d4cca.vbs

Filesize
726B

MD5
1066bc090bfc690d200d41f9c2cc3b12

SHA1
83c6a872a9117fd8e777dfbca6f84787b910cd40

SHA256
4a345bfa67bf88155f47f4ef3c34cce868c0d7d71752e89bc400bd9f0dd0cd8b

SHA512
bdcb2e25103d6e4b7d8d8332379eec1b9d19f5532b8311171c40ccc49730bf1d35e18c23135245c00baa5b2e8d38f1c84d524313e68d9e0592933fe1516cddd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d479b1b-154e-4691-9b68-d07c49ee4005.vbs

Filesize
726B

MD5
1bbb7191e1b93939601555606827ad07

SHA1
8bfbab146558eaef4aecd3e373f77b0712f02348

SHA256
5ca1015aba804ccc1e399d53daf3daa90a925654ea7eba3340612ebae1550fac

SHA512
a69ba67d46b5f6b2c817845c0120cef00fdfd34fea83bc12f6c6f4d0ff6ad8f64e3c95c50593254d006e5ecca1c425023f4021e57d68f98ea66b08c894c92459

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f313dad-555e-4498-acdf-fa99a59a2d51.vbs

Filesize
726B

MD5
c87caca7954b68deab4429bcff7a71b2

SHA1
d7ea4813a1cad582f8c92bb88232e74e70b52693

SHA256
579c6757785411878bf7ebd67ce274313cf7813201fed5f6460347d345a52a04

SHA512
0e1402da0a4ca8e46d29c9a58731c623e04644f0a9666e96e7b2714db2848235ca52c238a65f45ae8bc3fe2d0447f4b3e5f524fabe2d5dfeb9e420a414a49e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d2b42f6-18d5-457b-8069-e52954cb5db9.vbs

Filesize
726B

MD5
4b674ce7c3b7e6cbe9b5b285f8d66576

SHA1
20be0e9aa85cf3966350e10f0a02013c2e452018

SHA256
954928c6d1c3deec2ec89989e52f9e7da89d1cd2e02c5a297dd15b1723ae72e1

SHA512
4953aad89da1a942c57909ed3f2029baff44f04a69df7506838848e7f02aa70a0aa2fe7bf6fcafb5600a29c96f7fe3d2933c9589b3928e48e4590498b9f17fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znlk4g1c.jcg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef16dfb0-d831-4edd-9ad5-a93ddb1aab5c.vbs

Filesize
726B

MD5
dbfec44ae72772b8615c8eeae3bf5ce5

SHA1
46db033aa1bd3d1ece874c64fe7f5de323322e91

SHA256
2aa0bf6eeaa09ae474cc821413b39c569887d735e1b7ebf8421afd766057b31e

SHA512
0e2a44c0a2d651abed387375e91721ab6ad2d179c11f177089191894802462d1e1bc0ea1def0f7feec43b98a163a8d4102ae1b7f35687285baee14b5ddef0b2d

Download Submit
C:\Users\Public\Libraries\TextInputHost.exe

Filesize
1.5MB

MD5
a85fc237c6a4ce58422363d3ab559e20

SHA1
581ad77fe54d760329df7be48163a65ce030b179

SHA256
ff9212e305718dc963916ed8ffe42d553aea41bb44b312dbdb16dafd1b125474

SHA512
0345f6998a7c0f77264e7dc6d984bbbf4a08534c00a5bcedf25534c3dde1d2987394338288e192f251cdb06a27b26b582d50e3a0f7c3bfddfa6c5da395f1f19f

Download Submit
memory/1160-280-0x0000000002B40000-0x0000000002B52000-memory.dmp

Filesize
72KB

Download
memory/1280-115-0x000002177F6F0000-0x000002177F712000-memory.dmp

Filesize
136KB

Download
memory/1612-224-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/1704-11-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/1704-1-0x00000000002C0000-0x000000000043E000-memory.dmp

Filesize
1.5MB

Download
memory/1704-12-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

Filesize
32KB

Download
memory/1704-21-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/1704-20-0x000000001B750000-0x000000001B75C000-memory.dmp

Filesize
48KB

Download
memory/1704-18-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download
memory/1704-16-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/1704-17-0x000000001B730000-0x000000001B73C000-memory.dmp

Filesize
48KB

Download
memory/1704-15-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/1704-0-0x00007FFA7C2A3000-0x00007FFA7C2A5000-memory.dmp

Filesize
8KB

Download
memory/1704-14-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/1704-13-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

Filesize
40KB

Download
memory/1704-24-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-25-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-194-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-9-0x00000000027E0000-0x00000000027EC000-memory.dmp

Filesize
48KB

Download
memory/1704-8-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1704-2-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/1704-7-0x00000000027C0000-0x00000000027CC000-memory.dmp

Filesize
48KB

Download
memory/1704-6-0x00000000027A0000-0x00000000027AA000-memory.dmp

Filesize
40KB

Download
memory/1704-5-0x00000000027B0000-0x00000000027BC000-memory.dmp

Filesize
48KB

Download
memory/1704-10-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/1704-3-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1704-4-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/1748-292-0x0000000002B90000-0x0000000002BA2000-memory.dmp

Filesize
72KB

Download
memory/3196-349-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4384-326-0x000000001B700000-0x000000001B712000-memory.dmp

Filesize
72KB

Download