dcrat | 34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Size

1.5MB
MD5

be0ea97c4266a59ca689f4b51a578c20
SHA1

98acacc03b3d3c9706d3c50c98948f0f13529e45
SHA256

34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45
SHA512

03d727b999d1b8a25e284d98a82bb514ffd1ce71d4f73dead5983570461f59c05345608fcfffe9abf3bb8537716bb56aca3b6e774a9040fbf0b99a6199a02505
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\KBDUSL\\taskhostw.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\KBDUSL\\taskhostw.exe\", \"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\", \"C:\\PerfLogs\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\KBDUSL\\taskhostw.exe\", \"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\", \"C:\\Documents and Settings\\Idle.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2436	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2436	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3416	powershell.exe
4596	powershell.exe
2724	powershell.exe
4960	powershell.exe
4940	powershell.exe
4128	powershell.exe
5040	powershell.exe
3980	powershell.exe
2868	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 13 IoCs

pid	Process
2360	unsecapp.exe
3472	unsecapp.exe
1756	unsecapp.exe
2632	unsecapp.exe
3712	unsecapp.exe
4512	unsecapp.exe
1628	unsecapp.exe
2336	unsecapp.exe
4908	unsecapp.exe
4720	unsecapp.exe
1944	unsecapp.exe
2180	unsecapp.exe
4180	unsecapp.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\KBDUSL\\taskhostw.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PerfLogs\\SppExtComObj.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDSW09\\RuntimeBroker.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\KBDUSL\\taskhostw.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\Start Menu\\unsecapp.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDCHERP\\spoolsv.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVScripting\\OfficeClickToRun.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Documents and Settings\\Idle.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\KBDCHERP\RCX808E.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\KBDUSL\taskhostw.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDSW09\RuntimeBroker.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDCHERP\spoolsv.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDUSL\ea9f0e6c9e2dcd	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDUSL\taskhostw.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\KBDSW09\RCX7A80.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\KBDCHERP\spoolsv.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\KBDUSL\RCX8534.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\KBDSW09\RuntimeBroker.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDSW09\9e8d7a4ca61bd9	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\KBDCHERP\f3b6ecef712a24	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\RCX82B2.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\OfficeClickToRun.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\OfficeClickToRun.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\e6c9b481da804f	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4640	schtasks.exe
1936	schtasks.exe
5008	schtasks.exe
4556	schtasks.exe
4984	schtasks.exe
1852	schtasks.exe
3384	schtasks.exe
3484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4960	powershell.exe
4960	powershell.exe
4128	powershell.exe
4128	powershell.exe
2868	powershell.exe
2868	powershell.exe
2724	powershell.exe
4940	powershell.exe
2724	powershell.exe
4940	powershell.exe
4596	powershell.exe
4596	powershell.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
3416	powershell.exe
3416	powershell.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
5040	powershell.exe
5040	powershell.exe
3980	powershell.exe
3980	powershell.exe
4960	powershell.exe
3416	powershell.exe
4596	powershell.exe
4940	powershell.exe
2868	powershell.exe
2724	powershell.exe
4128	powershell.exe
5040	powershell.exe
4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
3980	powershell.exe
2360	unsecapp.exe
2360	unsecapp.exe
2360	unsecapp.exe
2360	unsecapp.exe
2360	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2360	unsecapp.exe
Token: SeDebugPrivilege	3472	unsecapp.exe
Token: SeDebugPrivilege	1756	unsecapp.exe
Token: SeDebugPrivilege	2632	unsecapp.exe
Token: SeDebugPrivilege	3712	unsecapp.exe
Token: SeDebugPrivilege	4512	unsecapp.exe
Token: SeDebugPrivilege	1628	unsecapp.exe
Token: SeDebugPrivilege	2336	unsecapp.exe
Token: SeDebugPrivilege	4908	unsecapp.exe
Token: SeDebugPrivilege	4720	unsecapp.exe
Token: SeDebugPrivilege	1944	unsecapp.exe
Token: SeDebugPrivilege	2180	unsecapp.exe
Token: SeDebugPrivilege	4180	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4596	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	98
PID 4032 wrote to memory of 4596	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	98
PID 4032 wrote to memory of 3980	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	99
PID 4032 wrote to memory of 3980	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	99
PID 4032 wrote to memory of 2724	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	100
PID 4032 wrote to memory of 2724	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	100
PID 4032 wrote to memory of 4960	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	101
PID 4032 wrote to memory of 4960	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	101
PID 4032 wrote to memory of 4940	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	102
PID 4032 wrote to memory of 4940	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	102
PID 4032 wrote to memory of 2868	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	103
PID 4032 wrote to memory of 2868	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	103
PID 4032 wrote to memory of 4128	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	104
PID 4032 wrote to memory of 4128	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	104
PID 4032 wrote to memory of 5040	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	110
PID 4032 wrote to memory of 5040	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	110
PID 4032 wrote to memory of 3416	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	111
PID 4032 wrote to memory of 3416	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	111
PID 4032 wrote to memory of 2360	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	118
PID 4032 wrote to memory of 2360	4032	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	118
PID 2360 wrote to memory of 1364	2360	unsecapp.exe	119
PID 2360 wrote to memory of 1364	2360	unsecapp.exe	119
PID 2360 wrote to memory of 3392	2360	unsecapp.exe	120
PID 2360 wrote to memory of 3392	2360	unsecapp.exe	120
PID 1364 wrote to memory of 3472	1364	WScript.exe	125
PID 1364 wrote to memory of 3472	1364	WScript.exe	125
PID 3472 wrote to memory of 784	3472	unsecapp.exe	126
PID 3472 wrote to memory of 784	3472	unsecapp.exe	126
PID 3472 wrote to memory of 4412	3472	unsecapp.exe	127
PID 3472 wrote to memory of 4412	3472	unsecapp.exe	127
PID 784 wrote to memory of 1756	784	WScript.exe	128
PID 784 wrote to memory of 1756	784	WScript.exe	128
PID 1756 wrote to memory of 4396	1756	unsecapp.exe	129
PID 1756 wrote to memory of 4396	1756	unsecapp.exe	129
PID 1756 wrote to memory of 4944	1756	unsecapp.exe	130
PID 1756 wrote to memory of 4944	1756	unsecapp.exe	130
PID 4396 wrote to memory of 2632	4396	WScript.exe	134
PID 4396 wrote to memory of 2632	4396	WScript.exe	134
PID 2632 wrote to memory of 4404	2632	unsecapp.exe	135
PID 2632 wrote to memory of 4404	2632	unsecapp.exe	135
PID 2632 wrote to memory of 2456	2632	unsecapp.exe	136
PID 2632 wrote to memory of 2456	2632	unsecapp.exe	136
PID 4404 wrote to memory of 3712	4404	WScript.exe	137
PID 4404 wrote to memory of 3712	4404	WScript.exe	137
PID 3712 wrote to memory of 1052	3712	unsecapp.exe	138
PID 3712 wrote to memory of 1052	3712	unsecapp.exe	138
PID 3712 wrote to memory of 4932	3712	unsecapp.exe	139
PID 3712 wrote to memory of 4932	3712	unsecapp.exe	139
PID 1052 wrote to memory of 4512	1052	WScript.exe	140
PID 1052 wrote to memory of 4512	1052	WScript.exe	140
PID 4512 wrote to memory of 3868	4512	unsecapp.exe	141
PID 4512 wrote to memory of 3868	4512	unsecapp.exe	141
PID 4512 wrote to memory of 2288	4512	unsecapp.exe	142
PID 4512 wrote to memory of 2288	4512	unsecapp.exe	142
PID 3868 wrote to memory of 1628	3868	WScript.exe	144
PID 3868 wrote to memory of 1628	3868	WScript.exe	144
PID 1628 wrote to memory of 4516	1628	unsecapp.exe	145
PID 1628 wrote to memory of 4516	1628	unsecapp.exe	145
PID 1628 wrote to memory of 3788	1628	unsecapp.exe	146
PID 1628 wrote to memory of 3788	1628	unsecapp.exe	146
PID 4516 wrote to memory of 2336	4516	WScript.exe	147
PID 4516 wrote to memory of 2336	4516	WScript.exe	147
PID 2336 wrote to memory of 2256	2336	unsecapp.exe	148
PID 2336 wrote to memory of 2256	2336	unsecapp.exe	148

System policy modification 1 TTPs 42 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
"C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDSW09\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDCHERP\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDUSL\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Users\All Users\Start Menu\unsecapp.exe
  "C:\Users\All Users\Start Menu\unsecapp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2360
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a86b666-09ce-4d3c-a476-a33ede6b68f8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\All Users\Start Menu\unsecapp.exe
      "C:\Users\All Users\Start Menu\unsecapp.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3472
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58162ba2-b2ff-4c9b-923a-8af4fb7a666e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2eecc8f-10b7-4ff9-b4d8-d9bdf99942cb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4039e5f5-e3a4-48c6-82b2-7de897795938.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b69b73b-e2ff-4645-a2a1-e0751d088904.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e0e4671-36a8-47bd-a7b3-243b2bbb5f7f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a8cb61e-ff26-4e39-bd22-547aa2a036c7.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e852d584-9e27-4301-8639-afcf865d53de.vbs"
        17⤵
        
        PID:2256
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\839cf6d2-1af0-4f41-b881-f93b7161c95e.vbs"
        19⤵
        
        PID:1320
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c657207-32f4-49d2-8b0f-219a13c230b7.vbs"
        21⤵
        
        PID:1472
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d1ba8d2-24b6-47d8-9c66-32e2876cb9ff.vbs"
        23⤵
        
        PID:4804
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\715576da-0dbd-4871-b5cd-04c7c16f5aeb.vbs"
        25⤵
        
        PID:4692
        
        C:\Users\All Users\Start Menu\unsecapp.exe
        
        "C:\Users\All Users\Start Menu\unsecapp.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7119e468-cbd8-4b46-8d8b-e5ee3e299543.vbs"
        27⤵
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b354df-4ba8-43f1-9564-b36b649d43ba.vbs"
        27⤵
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\751e4d8e-22dc-4129-bbbb-ba24f440b8fc.vbs"
        25⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991276c0-d734-4794-8fad-c361a5cfd3b6.vbs"
        23⤵
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7047dd1e-862d-4dd3-a756-86a06e9c4b68.vbs"
        21⤵
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a11bc0-ba4d-453f-abc1-fff5d58bc42b.vbs"
        19⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00553abd-98b3-4679-a02c-f02b3310d6da.vbs"
        17⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\929060db-a9d5-4c5f-9906-b19625133f7d.vbs"
        15⤵
        
        PID:3788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\925ae9c7-b980-4740-8582-5e7ed10537c1.vbs"
        13⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0dd2319-4e15-42d5-bd8c-a399dd902040.vbs"
        11⤵
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ed038e-85f5-45b3-b8fc-94f3a499fd98.vbs"
        9⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e248acfe-228a-481c-8acf-fe04b9486aa7.vbs"
        7⤵
        
        PID:4944
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6008bb6c-3d7a-4999-8536-32588b238a99.vbs"
        5⤵
        
        PID:4412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a555f32-edd8-42ba-a521-b780b61154ab.vbs"
    3⤵
    PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\KBDSW09\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PerfLogs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDCHERP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\KBDUSL\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting\OfficeClickToRun.exe

Filesize
1.5MB

MD5
be0ea97c4266a59ca689f4b51a578c20

SHA1
98acacc03b3d3c9706d3c50c98948f0f13529e45

SHA256
34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45

SHA512
03d727b999d1b8a25e284d98a82bb514ffd1ce71d4f73dead5983570461f59c05345608fcfffe9abf3bb8537716bb56aca3b6e774a9040fbf0b99a6199a02505

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\unsecapp.exe

Filesize
1.5MB

MD5
0870c30ae284c5f6c7aaf9ce330d94aa

SHA1
f1d7934b0161fbff1f25f99518a8d287ba9e53aa

SHA256
5ad4975238a858c6a875d089a94fa8e562123f85c5863afe22042069ced86da9

SHA512
c88b424f0c5341a36f5c93d717e8aee62a9386c0827b22617d53370b1522f27c871745e667253f05a812588860305e9832e5f65cadd19a4cb5e2af901e6b811d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a555f32-edd8-42ba-a521-b780b61154ab.vbs

Filesize
494B

MD5
bd7dc2d38f89bfa43eb6d40d21662dfb

SHA1
69a4f390c395deaa2a61e16526060e0132e44d6e

SHA256
ccc3ce4aee586fd47e7a6d2078d1556fa482e37b416caf6853c4ed4ddff28959

SHA512
b82d14172460de4286148031e6379198da4a0203dd52d115a11c9192aadf53a4e3fcfbff5adf12d6be5d6d6a6d29df62a0dc610b41428e15188e5d796e5d6ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4039e5f5-e3a4-48c6-82b2-7de897795938.vbs

Filesize
718B

MD5
00e56b6601c8c069176365c5f863e61e

SHA1
f73adc4abe1215155df676c1a7b8c79ce99f8fa3

SHA256
d85b113c917117c16d8c1e86cbd3cd581af32e5321f8929913bf16bbe96cd0df

SHA512
c762f9653028e3fdaa859c58e74b230b484547d6387c21a0c9556eb8c481500d9c58664e090809090b085166e38a441d27382a6c91eb5a08dad798f8baabd2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\58162ba2-b2ff-4c9b-923a-8af4fb7a666e.vbs

Filesize
718B

MD5
defd4cbbdca526b1951eeb32abb4760b

SHA1
0ea73acd7a8641aa557f8002f29fdaec8b93831b

SHA256
e0788cfe2105e1fbb016c27650b8e525b1af530639e8b8579b2d56de8d0921be

SHA512
666b598b18c5717db979d12fae8cfb539a4860aa1e14dd2ccafe554359e345b54315e0bc0ace0f3729b45eaa922d0b638ae761ee6542eeaaa2829f399bc31fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c657207-32f4-49d2-8b0f-219a13c230b7.vbs

Filesize
718B

MD5
9cd2db01d563cb726003c5b84eeb010f

SHA1
9cab608a427946bfd24e34266b79fc0be6f5d0d3

SHA256
a114214a8ae5402d35bb7eba6f96d6ca5c5ea6f7121d401a9d66c5f464f5cd0e

SHA512
3a191544fcf9a0eb83c0b8c48d1372a0f037a9b0cb1d402e85ec0c86842940b1f9930206df0cc4308389a8ff89d576ff5b06493b73147322f1ec7fb38fc48fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a8cb61e-ff26-4e39-bd22-547aa2a036c7.vbs

Filesize
718B

MD5
7b6fd794312814fb6b7b984dbef4b095

SHA1
19d7129caa201b7678061945784047e4519e4c3f

SHA256
5d1deb942f1fd54b02b14f048f6a594b94a78baa003b127516c361ea0c017734

SHA512
d847281c412c964de946420d618e58d963abd96f18a0f33358a4236ad6faed817f06090ffd360f8f6bed7d24cf30d4e85f1795f34072403876f83ec68e71f65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7119e468-cbd8-4b46-8d8b-e5ee3e299543.vbs

Filesize
718B

MD5
5e4a86fc821cf5fc853bd4829d7b7093

SHA1
813945fb4bf7aee836a794de8f6c503e845df956

SHA256
7aaba3958a63b22a24743bf32381e4bb7e7bc98933882698501af4b210d2eb39

SHA512
f113dce9891c0d54613612cc54ecb07270c5c120fa9bab52d1893f2ee05f0c9edbbaef21fbc295fccc09da7de42391c7bb409c56a21ae05681ad5400f6eb704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\715576da-0dbd-4871-b5cd-04c7c16f5aeb.vbs

Filesize
718B

MD5
a1cad0e8b4970ae5c270cba7d1bd20f4

SHA1
4cc6750d881052fa9faa5370347a7765be679166

SHA256
da326215cc485967546ed4a8e11bbd89dd9318b8dcd2958b7362e716cbf78a4a

SHA512
48b3068fee6dcd5a7ac2b8a6cefac7da1c41384ec45f12779996d6425b523bf7b03d35bc04abcc5f4fa663bbe94dfa93b28b7fd653ee3a265f0feda970732a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d1ba8d2-24b6-47d8-9c66-32e2876cb9ff.vbs

Filesize
718B

MD5
3dda11bbaad931162dbcf8b04b67553f

SHA1
1fa8a058b6e0c20bf002174bad0cf7234659253f

SHA256
46968c4d3e9fcdde96d69a84746dba73beedc613c95ec0ec9127834568511798

SHA512
2f7e1be8ef21ded587c0014467115aeeb88468d9d88c4fc8c2f9fa3d54290fc7602107763cec673cfd14110d7918c25669470848b5f1bb5479cb5357fc6e3dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\839cf6d2-1af0-4f41-b881-f93b7161c95e.vbs

Filesize
718B

MD5
b0e984b4e76bdbe5356cd8f3c79cac8d

SHA1
4d84c12cd63961ae719d2114a665a5242b4a47ea

SHA256
d8704cb89edd5d451132cedc6e4bf8969966180df261a55373aa39b2c5f2b817

SHA512
222822c6fe47ea2eebdeddb08a04c39bf7718e98d4c4a5c9f369244fbee105069fc8c76a778871f765454f2ca230a3db571b202cb67ac53f263cbb37efedee09

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a86b666-09ce-4d3c-a476-a33ede6b68f8.vbs

Filesize
718B

MD5
2ba3b878d7cd0e83189a1561c2231f1c

SHA1
3c3b615d493e9e99d3bd658d952686afd519e79e

SHA256
4bc78e3dbdacf10ff0b1033067f2a486d13e34e0c57546751c964aa580e81bbf

SHA512
7434720092b409a9f843f61259c9496456bb7f9f6b340b8b6c89420698dd5fdb786df510375b037578bc5427963a82825606b3bc4ed747ee0ba7965d3bc66d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e0e4671-36a8-47bd-a7b3-243b2bbb5f7f.vbs

Filesize
718B

MD5
6ccd9668fbcc50d4f7fd5183383abbe8

SHA1
59bf3fdaa7fbd3e2345b58c89d10210535ce2f21

SHA256
9079c66da559a24e69cf6e8b115e56663106cd458d8ff3efc1e7ce17761d28dd

SHA512
bcd9e861e5c5687775cbd8a9a57862ed684c92fc4c030d53d973ea48db501b20832d0fdbd8ee7f6a8d33020416bacc1b6152098ee6ffe870d972a0cf68b0ef79

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b69b73b-e2ff-4645-a2a1-e0751d088904.vbs

Filesize
718B

MD5
3579b929504c9a00df6a60e7757c0914

SHA1
5e6a86a2c9c4a00525654f829ad86eda7beb6ce5

SHA256
801b8603a71d81e62e3c0a055ebcfec756e2e86a12ce644db20c5a0543cae4b7

SHA512
0d08f1e63c165a26689cd17066910e4ad2a8346f56f4c1cc46fc670a1eec2762c0ec5fec3c4a522f54f3bb73b027c23578e0997615fb87212c33bca72395a1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptsue3cq.vmy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2eecc8f-10b7-4ff9-b4d8-d9bdf99942cb.vbs

Filesize
718B

MD5
04874386acc5df60a559104dcb3657b9

SHA1
ae170fd0c02911abccc377ea3766ab190a686ec2

SHA256
ab323b72884c4a7729f9f2d6d2e2ebaa8a7510a085580623616ec3d0860da0dd

SHA512
bafff4a149b987862c36290f624eac3591f9c0b9251971773467ffaff24bb46465dc4515398dc2cf12384f42d99ea9780b7de0301b348dbffc26c27602e30ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e852d584-9e27-4301-8639-afcf865d53de.vbs

Filesize
718B

MD5
5d43e66ba6645c799c091013e82a7b2c

SHA1
bd58ffa7fd94aa8eee733e6dac09691cb760b933

SHA256
123b8e31c2db9a11d049701ebdbe8009e59e7a4d09553d6bafda72045a5235d9

SHA512
97d688749fada4ab1d742de8be2a9acc53cb21965def3a4115bfe5454898489f3567030fa2d63a0d879a1d7038c8e2ca62e2ac426956ee7465176ef6d0783c83

Download Submit
memory/1628-328-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/2336-340-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/2336-351-0x000000001BDB0000-0x000000001BEB2000-memory.dmp

Filesize
1.0MB

Download
memory/2360-240-0x0000000000A40000-0x0000000000BBE000-memory.dmp

Filesize
1.5MB

Download
memory/2632-293-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4032-12-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/4032-1-0x0000000000EF0000-0x000000000106E000-memory.dmp

Filesize
1.5MB

Download
memory/4032-13-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/4032-24-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/4032-21-0x000000001C700000-0x000000001C708000-memory.dmp

Filesize
32KB

Download
memory/4032-20-0x000000001C390000-0x000000001C39C000-memory.dmp

Filesize
48KB

Download
memory/4032-18-0x000000001C380000-0x000000001C388000-memory.dmp

Filesize
32KB

Download
memory/4032-17-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/4032-16-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/4032-15-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/4032-14-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/4032-0-0x00007FFC72ED3000-0x00007FFC72ED5000-memory.dmp

Filesize
8KB

Download
memory/4032-25-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/4032-241-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/4032-3-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/4032-11-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/4032-10-0x000000001BBF0000-0x000000001BC00000-memory.dmp

Filesize
64KB

Download
memory/4032-9-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/4032-8-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/4032-6-0x000000001BBA0000-0x000000001BBAA000-memory.dmp

Filesize
40KB

Download
memory/4032-7-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/4032-2-0x00007FFC72ED0000-0x00007FFC73991000-memory.dmp

Filesize
10.8MB

Download
memory/4032-5-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

Filesize
48KB

Download
memory/4032-4-0x000000001BB90000-0x000000001BBA2000-memory.dmp

Filesize
72KB

Download
memory/4180-397-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/4512-316-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/4596-156-0x000002135D770000-0x000002135D792000-memory.dmp

Filesize
136KB

Download