dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb2c82a6695709d9304734b55a6a350.exe
Size

1.1MB
MD5

feb2c82a6695709d9304734b55a6a350
SHA1

3554b395961de66e5d84c1fc0ba527a0c205d965
SHA256

56d979b2ce2e20c7cb13c3cf49ec8c462f311fe38f2b75e80a4e90dee425c844
SHA512

952f21c0c48c66e5a17c4cd757d107de6d45fff4b2e0e8506e29910287b9888e8f8f5344edda596393d23d300c3048a60b6ae94386daf1acbf4c8032612ac2db
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\", \"C:\\Windows\\System32\\KBDINGUJ\\RuntimeBroker.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\", \"C:\\Windows\\System32\\KBDINGUJ\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\C_20949\\SppExtComObj.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\", \"C:\\Windows\\System32\\KBDINGUJ\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\C_20949\\SppExtComObj.exe\", \"C:\\PerfLogs\\SearchApp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	224	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	224	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	224	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	224	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	224	schtasks.exe	87

UAC bypass 3 TTPs 57 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1248	powershell.exe
5320	powershell.exe
5916	powershell.exe
3076	powershell.exe
1924	powershell.exe
3604	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	feb2c82a6695709d9304734b55a6a350.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	feb2c82a6695709d9304734b55a6a350.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 18 IoCs

pid	Process
1064	unsecapp.exe
5696	unsecapp.exe
716	unsecapp.exe
4744	unsecapp.exe
872	unsecapp.exe
1708	unsecapp.exe
1636	unsecapp.exe
1088	unsecapp.exe
3616	unsecapp.exe
1816	unsecapp.exe
3304	unsecapp.exe
4360	unsecapp.exe
2928	unsecapp.exe
4552	unsecapp.exe
5200	unsecapp.exe
3852	unsecapp.exe
5564	unsecapp.exe
208	unsecapp.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PerfLogs\\SearchApp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PerfLogs\\SearchApp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\Win32_Tpm\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\kerberos\\unsecapp.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDINGUJ\\RuntimeBroker.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDINGUJ\\RuntimeBroker.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\C_20949\\SppExtComObj.exe\""	feb2c82a6695709d9304734b55a6a350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\C_20949\\SppExtComObj.exe\""	feb2c82a6695709d9304734b55a6a350.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	feb2c82a6695709d9304734b55a6a350.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wbem\Win32_Tpm\unsecapp.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\KBDINGUJ\RuntimeBroker.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\C_20949\SppExtComObj.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\C_20949\e1ef82546f0b02	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\wbem\Win32_Tpm\29c1c3cc0f7685	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\wbem\kerberos\unsecapp.exe	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\wbem\Win32_Tpm\RCX9701.tmp	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\wbem\kerberos\unsecapp.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\wbem\Win32_Tpm\unsecapp.exe	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\wbem\kerberos\29c1c3cc0f7685	feb2c82a6695709d9304734b55a6a350.exe
File created	C:\Windows\System32\KBDINGUJ\9e8d7a4ca61bd9	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\wbem\kerberos\RCX9906.tmp	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\KBDINGUJ\RCX9B2A.tmp	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\KBDINGUJ\RuntimeBroker.exe	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\C_20949\RCX9D2E.tmp	feb2c82a6695709d9304734b55a6a350.exe
File opened for modification	C:\Windows\System32\C_20949\SppExtComObj.exe	feb2c82a6695709d9304734b55a6a350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	feb2c82a6695709d9304734b55a6a350.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2400	schtasks.exe
4992	schtasks.exe
6096	schtasks.exe
2056	schtasks.exe
3904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1248	powershell.exe
1248	powershell.exe
3076	powershell.exe
3076	powershell.exe
5320	powershell.exe
5320	powershell.exe
3604	powershell.exe
3604	powershell.exe
5916	powershell.exe
5916	powershell.exe
5916	powershell.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1924	powershell.exe
1924	powershell.exe
1248	powershell.exe
5320	powershell.exe
3604	powershell.exe
3076	powershell.exe
1924	powershell.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1320	feb2c82a6695709d9304734b55a6a350.exe
1064	unsecapp.exe
1064	unsecapp.exe
1064	unsecapp.exe
1064	unsecapp.exe
1064	unsecapp.exe
1064	unsecapp.exe
5696	unsecapp.exe
5696	unsecapp.exe
5696	unsecapp.exe
5696	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
716	unsecapp.exe
4744	unsecapp.exe
4744	unsecapp.exe
4744	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	feb2c82a6695709d9304734b55a6a350.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1064	unsecapp.exe
Token: SeDebugPrivilege	5696	unsecapp.exe
Token: SeDebugPrivilege	716	unsecapp.exe
Token: SeDebugPrivilege	4744	unsecapp.exe
Token: SeDebugPrivilege	872	unsecapp.exe
Token: SeDebugPrivilege	1708	unsecapp.exe
Token: SeDebugPrivilege	1636	unsecapp.exe
Token: SeDebugPrivilege	1088	unsecapp.exe
Token: SeDebugPrivilege	3616	unsecapp.exe
Token: SeDebugPrivilege	1816	unsecapp.exe
Token: SeDebugPrivilege	3304	unsecapp.exe
Token: SeDebugPrivilege	4360	unsecapp.exe
Token: SeDebugPrivilege	2928	unsecapp.exe
Token: SeDebugPrivilege	4552	unsecapp.exe
Token: SeDebugPrivilege	5200	unsecapp.exe
Token: SeDebugPrivilege	3852	unsecapp.exe
Token: SeDebugPrivilege	5564	unsecapp.exe
Token: SeDebugPrivilege	208	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3604	1320	feb2c82a6695709d9304734b55a6a350.exe	98
PID 1320 wrote to memory of 3604	1320	feb2c82a6695709d9304734b55a6a350.exe	98
PID 1320 wrote to memory of 1248	1320	feb2c82a6695709d9304734b55a6a350.exe	99
PID 1320 wrote to memory of 1248	1320	feb2c82a6695709d9304734b55a6a350.exe	99
PID 1320 wrote to memory of 5320	1320	feb2c82a6695709d9304734b55a6a350.exe	100
PID 1320 wrote to memory of 5320	1320	feb2c82a6695709d9304734b55a6a350.exe	100
PID 1320 wrote to memory of 5916	1320	feb2c82a6695709d9304734b55a6a350.exe	101
PID 1320 wrote to memory of 5916	1320	feb2c82a6695709d9304734b55a6a350.exe	101
PID 1320 wrote to memory of 3076	1320	feb2c82a6695709d9304734b55a6a350.exe	102
PID 1320 wrote to memory of 3076	1320	feb2c82a6695709d9304734b55a6a350.exe	102
PID 1320 wrote to memory of 1924	1320	feb2c82a6695709d9304734b55a6a350.exe	103
PID 1320 wrote to memory of 1924	1320	feb2c82a6695709d9304734b55a6a350.exe	103
PID 1320 wrote to memory of 1064	1320	feb2c82a6695709d9304734b55a6a350.exe	110
PID 1320 wrote to memory of 1064	1320	feb2c82a6695709d9304734b55a6a350.exe	110
PID 1064 wrote to memory of 5828	1064	unsecapp.exe	111
PID 1064 wrote to memory of 5828	1064	unsecapp.exe	111
PID 1064 wrote to memory of 5724	1064	unsecapp.exe	112
PID 1064 wrote to memory of 5724	1064	unsecapp.exe	112
PID 5828 wrote to memory of 5696	5828	WScript.exe	115
PID 5828 wrote to memory of 5696	5828	WScript.exe	115
PID 5696 wrote to memory of 4412	5696	unsecapp.exe	116
PID 5696 wrote to memory of 4412	5696	unsecapp.exe	116
PID 5696 wrote to memory of 5312	5696	unsecapp.exe	117
PID 5696 wrote to memory of 5312	5696	unsecapp.exe	117
PID 4412 wrote to memory of 716	4412	WScript.exe	119
PID 4412 wrote to memory of 716	4412	WScript.exe	119
PID 716 wrote to memory of 5124	716	unsecapp.exe	120
PID 716 wrote to memory of 5124	716	unsecapp.exe	120
PID 716 wrote to memory of 5360	716	unsecapp.exe	121
PID 716 wrote to memory of 5360	716	unsecapp.exe	121
PID 5124 wrote to memory of 4744	5124	WScript.exe	122
PID 5124 wrote to memory of 4744	5124	WScript.exe	122
PID 4744 wrote to memory of 4696	4744	unsecapp.exe	123
PID 4744 wrote to memory of 4696	4744	unsecapp.exe	123
PID 4744 wrote to memory of 5972	4744	unsecapp.exe	124
PID 4744 wrote to memory of 5972	4744	unsecapp.exe	124
PID 4696 wrote to memory of 872	4696	WScript.exe	125
PID 4696 wrote to memory of 872	4696	WScript.exe	125
PID 872 wrote to memory of 5740	872	unsecapp.exe	126
PID 872 wrote to memory of 5740	872	unsecapp.exe	126
PID 872 wrote to memory of 5064	872	unsecapp.exe	128
PID 872 wrote to memory of 5064	872	unsecapp.exe	128
PID 5740 wrote to memory of 1708	5740	WScript.exe	137
PID 5740 wrote to memory of 1708	5740	WScript.exe	137
PID 1708 wrote to memory of 5060	1708	unsecapp.exe	138
PID 1708 wrote to memory of 5060	1708	unsecapp.exe	138
PID 1708 wrote to memory of 1564	1708	unsecapp.exe	139
PID 1708 wrote to memory of 1564	1708	unsecapp.exe	139
PID 5060 wrote to memory of 1636	5060	WScript.exe	140
PID 5060 wrote to memory of 1636	5060	WScript.exe	140
PID 1636 wrote to memory of 2068	1636	unsecapp.exe	141
PID 1636 wrote to memory of 2068	1636	unsecapp.exe	141
PID 1636 wrote to memory of 1648	1636	unsecapp.exe	142
PID 1636 wrote to memory of 1648	1636	unsecapp.exe	142
PID 2068 wrote to memory of 1088	2068	WScript.exe	143
PID 2068 wrote to memory of 1088	2068	WScript.exe	143
PID 1088 wrote to memory of 3088	1088	unsecapp.exe	144
PID 1088 wrote to memory of 3088	1088	unsecapp.exe	144
PID 1088 wrote to memory of 4928	1088	unsecapp.exe	145
PID 1088 wrote to memory of 4928	1088	unsecapp.exe	145
PID 3088 wrote to memory of 3616	3088	WScript.exe	146
PID 3088 wrote to memory of 3616	3088	WScript.exe	146
PID 3616 wrote to memory of 1888	3616	unsecapp.exe	147
PID 3616 wrote to memory of 1888	3616	unsecapp.exe	147

System policy modification 1 TTPs 57 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	feb2c82a6695709d9304734b55a6a350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe
"C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\feb2c82a6695709d9304734b55a6a350.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\Win32_Tpm\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\kerberos\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDINGUJ\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_20949\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\wbem\kerberos\unsecapp.exe
  "C:\Windows\System32\wbem\kerberos\unsecapp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608e3c04-1a0c-4e1f-986c-53766c084a0c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5828
  - - C:\Windows\System32\wbem\kerberos\unsecapp.exe
      C:\Windows\System32\wbem\kerberos\unsecapp.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\effb9333-0889-4f04-8542-44d85906ce9a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a2fff85-bd22-4917-9b69-2660b6a8ff66.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5124
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\909fe807-b752-4f6a-afff-e5e6b1b1c0c1.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b36dd8ca-1ecb-4420-89b3-e909b4edb36a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5740
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74a0b53c-2e79-438e-bf46-b57e7216d146.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\403ea17c-b056-411c-815a-0eae04d4492a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10890573-2475-4486-8384-a299d99c6b70.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bf0db67-7c80-407e-8f1e-c8986c86d197.vbs"
        19⤵
        
        PID:1888
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f67f50c-b476-4390-b8a2-e74c95e3b901.vbs"
        21⤵
        
        PID:1644
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\857aa9d2-6c09-4c93-8261-33a9631aed07.vbs"
        23⤵
        
        PID:4004
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cdbf0e-b33f-4f65-839c-162463e957f3.vbs"
        25⤵
        
        PID:3424
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a657fc44-75ee-4ae2-9e26-e2b33b364649.vbs"
        27⤵
        
        PID:4524
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b47c9c65-81b0-423b-a0f6-75a8632eb6ed.vbs"
        29⤵
        
        PID:4944
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9822aba5-1dde-4f5f-8e64-f208f556d56f.vbs"
        31⤵
        
        PID:3912
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\399c1abe-59bb-4ede-af9b-3a69ee8ca7ae.vbs"
        33⤵
        
        PID:5632
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\694cd3ab-fc5a-4347-a794-5dcfac37e01b.vbs"
        35⤵
        
        PID:3916
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        
        C:\Windows\System32\wbem\kerberos\unsecapp.exe
        36⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92805fce-3e51-497a-92e9-68ed6f45357f.vbs"
        37⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb86a5f9-1b74-44a5-980d-c9f0ccaf4600.vbs"
        37⤵
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34455a3a-1a2b-45cf-ac01-0d322f56bcc5.vbs"
        35⤵
        
        PID:3536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0712f5ba-8b76-4ae8-9048-109de66d5ae6.vbs"
        33⤵
        
        PID:4888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3c825f8-6fb0-4a7e-b6d6-ccd56f73dedf.vbs"
        31⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3495154-ba8c-44cb-ac6a-56c9b599ce78.vbs"
        29⤵
        
        PID:5580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16065ed-3aef-4fcc-b9f2-dcb57b3b7376.vbs"
        27⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f9fb9dc-4ac9-477a-b501-c26228c10e3c.vbs"
        25⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc102f37-99b6-430d-9ab5-f09952a5516e.vbs"
        23⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3b00835-d416-433e-8b7b-b659851276fa.vbs"
        21⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d6607f-9c20-40d3-8576-52f61093b17a.vbs"
        19⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73dc0945-e51b-4d35-a365-74138e8aaeda.vbs"
        17⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eded5b7-629e-4453-95ef-c2c351111ede.vbs"
        15⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02f402e9-d809-4cbb-8332-95d60d91f559.vbs"
        13⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdadfdb7-a8b8-4c7b-afbd-6e41fc33bdb8.vbs"
        11⤵
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35d3e95a-985f-4645-90e6-5e407a4a5b39.vbs"
        9⤵
        
        PID:5972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c46c9ac-06e0-48be-ab50-54b728a6cfcd.vbs"
        7⤵
        
        PID:5360
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff6bb5f2-8b1a-4400-be59-a3a762905fa5.vbs"
        5⤵
        
        PID:5312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcb1ba02-5096-47da-b82b-cae42da9a7cf.vbs"
    3⤵
    PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\Win32_Tpm\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\kerberos\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\KBDINGUJ\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\C_20949\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PerfLogs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\SearchApp.exe

Filesize
1.1MB

MD5
feb2c82a6695709d9304734b55a6a350

SHA1
3554b395961de66e5d84c1fc0ba527a0c205d965

SHA256
56d979b2ce2e20c7cb13c3cf49ec8c462f311fe38f2b75e80a4e90dee425c844

SHA512
952f21c0c48c66e5a17c4cd757d107de6d45fff4b2e0e8506e29910287b9888e8f8f5344edda596393d23d300c3048a60b6ae94386daf1acbf4c8032612ac2db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2e67766ebbf9a065d2d6698d1e76a22

SHA1
880bd6eb37a65027fd6b100beb69326469e62786

SHA256
2123e4031ccd3bb8f144c209b0d0b1fc37623a472caa18fa31b6ccf787001120

SHA512
d39497ddd1abb45733a35e4fa7a9958cc736addbd37e18820cc3149b704814e9db4d8146e6737fcb2e3c93c0e945d567d0995c7657e982c574886b29dfdd8a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\10890573-2475-4486-8384-a299d99c6b70.vbs

Filesize
722B

MD5
706127c3cca0be4bd8442a0eb2192dc6

SHA1
8da5919159f0118f19e4861949654fa52fc22b57

SHA256
af33b4e50f6068f4a231bbca0904b2d3adc5f20145c81915327a7f781553a7b2

SHA512
4313546907ce75a5cb97c94edb3991ad0af1e46cb588e18be1b289a92e0e89657202481d3edb83326988253ebcb646ca4367d4cc0a3c11db0b1f112fedc5baae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bf0db67-7c80-407e-8f1e-c8986c86d197.vbs

Filesize
722B

MD5
c48cc80621154a0c8e4513bec45446bb

SHA1
c0b8266a87a3af37c4962d8c24cdc12ca6db2d1a

SHA256
8df83d153706d7678dfbbbbcc2837d3800472d6c6b6f2e24e9ac52bb5dd1ba8d

SHA512
11410cec753ea4c1449e96a422d84891d2e904e43ddf9f62b16c764a29b4f6bf70f4c63c364e445ceb7a4ef686a4f0faea03bc74ded92c77ffdb5e0ca840280a

Download Submit
C:\Users\Admin\AppData\Local\Temp\403ea17c-b056-411c-815a-0eae04d4492a.vbs

Filesize
722B

MD5
b12479bb77f6ef4dda4325e1211cac6f

SHA1
e40e2455e6bf170ce280675ba7eb4c6450fc6094

SHA256
f420c4a85759e6587a83921c218a5ecf27cd858dc325bd2dcb395aa0688b3437

SHA512
cd8ef405f0dc90dea51893dd7c2932b2ed2ce4eec8630437549c16c06c642bcb11e67174a560cdf4b7650aa00079cfa6602cdf2e9ca5a85436f4d593b8cf632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\608e3c04-1a0c-4e1f-986c-53766c084a0c.vbs

Filesize
722B

MD5
b32c9ec2f7981ebdacfb470f9ce1a931

SHA1
6cda3161780c8f1f24539fd87affaa9cb6b163cc

SHA256
572fc51f8cfdb1ff31c41c0b75c46d7d54ca149e0d1d8b0d3732e84439249876

SHA512
b63ad7fd8f39c6fa64ce60bda132cfd6fa5f27e62652c2718baaa8089325b11a95b40f90631b5c0ea678137c0cf13cd7e707f7d143f397a11b9a21af10ac44ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f67f50c-b476-4390-b8a2-e74c95e3b901.vbs

Filesize
722B

MD5
0d382bc971c91117fdb9de301f28586e

SHA1
71798bce653d8119f9483437ef66b1f16745255d

SHA256
0b9d7f8b95afabd90dac03e32d5445a798edc9a5408feca11ec88e76f92eb41a

SHA512
1cdb71485a411fc144411e9bf2e4b6a6209673e60b03e0690dbf3e541933efee27268cbb3e70ce14829527a42ab5eca9af0968eb5d46e179566637d8af9c071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\74a0b53c-2e79-438e-bf46-b57e7216d146.vbs

Filesize
722B

MD5
af0be32dda99d61b21193be018aa83a7

SHA1
51ce77db79dc9965d834d7998d18ab5f7252d599

SHA256
659d81a2d209602a5fda502878f348399e71a648dfd0de398f200e2a56dfe8cb

SHA512
7d0cf3cd2cc12e950bb1e46bfca6db1f08ee5318353bd653a87d55d0e74b726c9dc3902fc9a5ea014c9a28d5ae9175decf8136e1c7151dab4247be1c4f99ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\857aa9d2-6c09-4c93-8261-33a9631aed07.vbs

Filesize
722B

MD5
43bcb867bb6e5b7d56a786a5069e6fe9

SHA1
c823f4947dd487951a8783a3f4cd7c297b6feb8a

SHA256
568b7e64d460643af37a1a9ce3b1b5acd108d2db3da22c7b0dace19d300f6abd

SHA512
07d7692297ee97d17725c06a642b82b487db923b29249c5754fae502dd9672279ddf432e86116998f36030792b0c1df1cfc05f82b58c96089eca5f96c3315cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\89cdbf0e-b33f-4f65-839c-162463e957f3.vbs

Filesize
722B

MD5
cd886b86a052f79af33d3f0a037c4143

SHA1
be3e68a2ba80427aee7cb87fc90844d1266a0cd3

SHA256
1897bdfd677b0f460e3a14248818211adb604940de3bb2c046acbc29dd6a4967

SHA512
7ddec789c46c7051789aaf09f206364b914c35585efbbde31b2e2576c7d7703421184e5ba7a6c22458b4628d13d8b8316010395afd4c722b3e976a1fc024e2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\909fe807-b752-4f6a-afff-e5e6b1b1c0c1.vbs

Filesize
722B

MD5
4d702c1b66255db05a1ea6110452ca64

SHA1
d872a1d09d3bf8ec0a4374d0622244ef3a240ed3

SHA256
6baabe8df1e8388819cd2f4446eabc468585a18d641514a94afdb5ee025682ab

SHA512
744d020aa3f56e4a5a2eadc1d53c3f89fcee384cc0faec138ea181eb3baec0ec9bb8e521a4065da6b6f5519b34f218f186aa82031bdbd19e97609510a68cd9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a2fff85-bd22-4917-9b69-2660b6a8ff66.vbs

Filesize
721B

MD5
eb7408b3a2b5d14adb06a2fd300ff7ad

SHA1
dc4298ebc927040b974da04bc66e84c7dcbc3a0b

SHA256
a1516c6a2acda43db61d0282a873690c39303066d6dd90ec1927ca5f568dec7c

SHA512
53b0513bb673ad300922306e629913c7c780234249afe44498728b0997a47a54036ccd73f42bb7b29ce9d679353ab69edfb41745cd153de45d0db887c5344575

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3una5ts.fbx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a657fc44-75ee-4ae2-9e26-e2b33b364649.vbs

Filesize
722B

MD5
67af3b7ed14655484aaff037827f955b

SHA1
cc1a590c19e25cfe4d94c31163049f592a3eb7f8

SHA256
9c22e5dd2ab5a1e6e43147db52c2fbaf2747d59d3700add12cae949136a1d8ee

SHA512
9cc8a8638fb27530602336747c68e855dc81361173249f870c0c8a4ef38ee18bb05d4f25eb197e3639dc49a45f025aa1c76a29ac9b2be26f455da58b247fabe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b36dd8ca-1ecb-4420-89b3-e909b4edb36a.vbs

Filesize
721B

MD5
f54db710a6a69eea006760b266f84384

SHA1
b35388420cc52db0287dd9a45d6c0ac9ed767b10

SHA256
3e63f3aabc3d516e9dda4222efca7bdd63cd56f3bd78f48a163df4363d678338

SHA512
d7f274442468b5e029f5741dccbbc85684efec52932a9e8e41c364be1e4419290771d4f6084ef49fdcfdb776869f3daaa06c72ab28c4bb0fd6c1eef93771be2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b47c9c65-81b0-423b-a0f6-75a8632eb6ed.vbs

Filesize
722B

MD5
9e6c56c070fdd21cc10389262a149e23

SHA1
2f1484b7aece67c24dc9773e09fd149099ab45fa

SHA256
c721ce72b8b77ca3bafd9b4ff5d051be692c4d31a169de762641f82881fc8631

SHA512
aea5b11a1baca08b0a1fc92532b8a7515ed9bd2f2f88e2450dbe6c24f8b4e547daa1afe8dcd4ca56e4bb1cb7211b79c6c9d23f7194998ad3997308ddfa69e47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcb1ba02-5096-47da-b82b-cae42da9a7cf.vbs

Filesize
498B

MD5
2ee4c6c28ab12ea8cc743d9a397d5ef4

SHA1
0b7fe270e2c003694a4a34fd307f5e65467e6480

SHA256
66aa877f2a619179517f2e753fa012bade2eee4b574f73c0a3ea5c1611c78994

SHA512
92d126544152fdc982b252040721abf8fa7dad286f3825b29773a4e008a33353083f70773ddceb4b3b9c0312806e2c3d3a59a5d247285763bff0a46643a641e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\effb9333-0889-4f04-8542-44d85906ce9a.vbs

Filesize
722B

MD5
2a568f20b63d6d4d261780e05237e1e5

SHA1
d21759fa83e166657d68982153c2b638abfe6f71

SHA256
efc7e47be038269fa92df9ed49559b05a6855a74370be83ef683d652233713a3

SHA512
5168b3de3927bc8f34d3d442ef33b22ac542e8367a8d27441853aa598a58b0243d3e906fe0c9aee1c389d7153c18a014de60f1f27b9934e3b0d4812dc6d5485d

Download Submit
memory/1320-10-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/1320-8-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/1320-0-0x00007FFDD8B23000-0x00007FFDD8B25000-memory.dmp

Filesize
8KB

Download
memory/1320-17-0x000000001BF60000-0x000000001BF6C000-memory.dmp

Filesize
48KB

Download
memory/1320-15-0x000000001BF40000-0x000000001BF4A000-memory.dmp

Filesize
40KB

Download
memory/1320-14-0x000000001BF30000-0x000000001BF3C000-memory.dmp

Filesize
48KB

Download
memory/1320-196-0x00007FFDD8B20000-0x00007FFDD95E1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-12-0x000000001BF10000-0x000000001BF18000-memory.dmp

Filesize
32KB

Download
memory/1320-13-0x000000001BF20000-0x000000001BF2A000-memory.dmp

Filesize
40KB

Download
memory/1320-16-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/1320-11-0x000000001BF00000-0x000000001BF10000-memory.dmp

Filesize
64KB

Download
memory/1320-20-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/1320-25-0x00007FFDD8B20000-0x00007FFDD95E1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-18-0x000000001BF70000-0x000000001BF78000-memory.dmp

Filesize
32KB

Download
memory/1320-9-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/1320-24-0x00007FFDD8B20000-0x00007FFDD95E1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-7-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

Filesize
48KB

Download
memory/1320-6-0x000000001B890000-0x000000001B89A000-memory.dmp

Filesize
40KB

Download
memory/1320-5-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/1320-3-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/1320-21-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

Filesize
32KB

Download
memory/1320-4-0x000000001B880000-0x000000001B892000-memory.dmp

Filesize
72KB

Download
memory/1320-2-0x00007FFDD8B20000-0x00007FFDD95E1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-1-0x0000000000B60000-0x0000000000C74000-memory.dmp

Filesize
1.1MB

Download
memory/1816-301-0x0000000001780000-0x0000000001792000-memory.dmp

Filesize
72KB

Download
memory/2928-335-0x00000000022D0000-0x00000000022E2000-memory.dmp

Filesize
72KB

Download
memory/4552-347-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/5916-130-0x0000022278110000-0x0000022278132000-memory.dmp

Filesize
136KB

Download