dcrat | 408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b

General

Target

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Size

2.7MB
MD5

2317326f5c2ec4b53d5071d19f1a5690
SHA1

384f47f21bd2dc1a67b80a5dcee9430f43bee08b
SHA256

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b
SHA512

98719abb8a334d96ecbd56450d2f55bd15a830ffb1ac516c79c0028f66f348f6b7389f5caf197615e0cd56a353299054ddc5159eb77b1f83c411012a9ac9b246
SSDEEP

49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default\\winlogon.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Default\\NetHood\\smss.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\wininit.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1252	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1064-1-0x0000000000E20000-0x00000000010E0000-memory.dmp	dcrat
C:\Windows\DiagTrack\Scenarios\spoolsv.exe	dcrat
C:\Program Files\Reference Assemblies\RCX7454.tmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1632 powershell.exe

pid	process
1632	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

1416 RuntimeBroker.exe

pid	process
1416	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\NetHood\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\NetHood\\smss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Portable Devices\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\dllhost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\sppsvc.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\winlogon.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Security\\BrowserCore\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Portable Devices\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\SppExtComObj.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Reference Assemblies\\backgroundTaskHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\csrss.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jre8\\lib\\RuntimeBroker.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\DiagTrack\\Scenarios\\spoolsv.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\winlogon.exe\""	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in Program Files directory 52 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\dllhost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Security\BrowserCore\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Java\jre8\lib\RCX6BA6.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Mail\RCX5749.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX702C.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX6393.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6E27.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Mail\wininit.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Reference Assemblies\backgroundTaskHost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCX618F.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Mail\56085415360792	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Security\BrowserCore\886983d96e3d3e	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Reference Assemblies\backgroundTaskHost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\MSBuild\Microsoft\9e8d7a4ca61bd9	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\eddb19405b7ce1	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Photo Viewer\dllhost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCX6598.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Java\jre8\lib\RuntimeBroker.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX69A1.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Mail\wininit.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\wininit.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX594D.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX679C.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\5940a34987c991	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX7240.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX7454.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files\Java\jre8\lib\RuntimeBroker.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX786D.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Photo Viewer\5940a34987c991	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Java\jre8\lib\9e8d7a4ca61bd9	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Program Files\Reference Assemblies\eddb19405b7ce1	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Drops file in Windows directory 4 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
File opened for modification	C:\Windows\DiagTrack\Scenarios\spoolsv.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Windows\DiagTrack\Scenarios\spoolsv.exe	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File created	C:\Windows\DiagTrack\Scenarios\f3b6ecef712a24	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCX5F8A.tmp	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4532	schtasks.exe
4072	schtasks.exe
3632	schtasks.exe
4520	schtasks.exe
2628	schtasks.exe
4528	schtasks.exe
2696	schtasks.exe
3472	schtasks.exe
4036	schtasks.exe
904	schtasks.exe
4808	schtasks.exe
1196	schtasks.exe
4008	schtasks.exe
1280	schtasks.exe
460	schtasks.exe
5016	schtasks.exe
1760	schtasks.exe
212	schtasks.exe
4504	schtasks.exe
3224	schtasks.exe
3768	schtasks.exe
2296	schtasks.exe
2120	schtasks.exe
4972	schtasks.exe
4164	schtasks.exe
5024	schtasks.exe
2532	schtasks.exe
4048	schtasks.exe
2440	schtasks.exe
2652	schtasks.exe
2300	schtasks.exe
3460	schtasks.exe
4160	schtasks.exe
3624	schtasks.exe
3928	schtasks.exe
4188	schtasks.exe
4904	schtasks.exe
4292	schtasks.exe
5000	schtasks.exe
2200	schtasks.exe
4416	schtasks.exe
3136	schtasks.exe
2884	schtasks.exe
4588	schtasks.exe
3572	schtasks.exe
4180	schtasks.exe
396	schtasks.exe
4308	schtasks.exe
3152	schtasks.exe
3144	schtasks.exe
4076	schtasks.exe
2336	schtasks.exe
4928	schtasks.exe
3916	schtasks.exe
316	schtasks.exe
3508	schtasks.exe
3596	schtasks.exe

Modifies registry class 1 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exepowershell.exeRuntimeBroker.exe

pid	process
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe
1416	RuntimeBroker.exe
1416	RuntimeBroker.exe
1416	RuntimeBroker.exe
1416	RuntimeBroker.exe
1416	RuntimeBroker.exe
1416	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exepowershell.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1416	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 1632	1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	powershell.exe
PID 1064 wrote to memory of 1632	1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	powershell.exe
PID 1064 wrote to memory of 4084	1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	cmd.exe
PID 1064 wrote to memory of 4084	1064	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe	cmd.exe
PID 4084 wrote to memory of 4968	4084	cmd.exe	w32tm.exe
PID 4084 wrote to memory of 4968	4084	cmd.exe	w32tm.exe
PID 4084 wrote to memory of 1416	4084	cmd.exe	RuntimeBroker.exe
PID 4084 wrote to memory of 1416	4084	cmd.exe	RuntimeBroker.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

RuntimeBroker.exe408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe
"C:\Users\Admin\AppData\Local\Temp\408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sc8TlwHPlW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4968
- - C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe
    "C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Scenarios\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Scenarios\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre8\lib\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre8\lib\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\RCX7454.tmp

Filesize
2.7MB

MD5
b56a2733c63420219134215935a3ff92

SHA1
c308ef499d83612f303b620f88f488aaf105acf9

SHA256
13923bc4e619e7cfdc25c2641281580938416544d4737c3e5e1ca46ffa0da21d

SHA512
d908e30088658c0d2a49d6888d87fc90aa962af021787034acf35e3c08443cc51a38e90a78a1a88485272bc8177208b8445bd8e54a321a8e59e04bb894408ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sc8TlwHPlW.bat

Filesize
217B

MD5
0731436021bd6ebf3e3d267a456ddb03

SHA1
d116b48acdb88a7dae8ef68fbefa61e1b3b785f9

SHA256
90507e48084080da2ccf1988601d572e84f88a457d7bdf3a96ca471351ef8022

SHA512
694e4c915bc9c3d82f022f84e2f35da56755f349579015017ec95874c29e88b4074bf6688f7eb79f7c23a3d7f7f19687233b9a88097e8f48fd16a520c90eb875

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_chqzitmx.14f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\DiagTrack\Scenarios\spoolsv.exe

Filesize
2.7MB

MD5
2317326f5c2ec4b53d5071d19f1a5690

SHA1
384f47f21bd2dc1a67b80a5dcee9430f43bee08b

SHA256
408d3ec50e5bc7acbc10157fc08b995578ab30c975e9567b5ad9708cc8a7f09b

SHA512
98719abb8a334d96ecbd56450d2f55bd15a830ffb1ac516c79c0028f66f348f6b7389f5caf197615e0cd56a353299054ddc5159eb77b1f83c411012a9ac9b246

Download Submit
memory/1064-16-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/1064-19-0x000000001BD80000-0x000000001BD8C000-memory.dmp

Filesize
48KB

Download
memory/1064-7-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/1064-9-0x0000000003370000-0x0000000003378000-memory.dmp

Filesize
32KB

Download
memory/1064-6-0x00000000018B0000-0x00000000018B8000-memory.dmp

Filesize
32KB

Download
memory/1064-8-0x0000000003240000-0x0000000003256000-memory.dmp

Filesize
88KB

Download
memory/1064-11-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/1064-10-0x0000000003380000-0x0000000003388000-memory.dmp

Filesize
32KB

Download
memory/1064-12-0x00000000033A0000-0x00000000033AA000-memory.dmp

Filesize
40KB

Download
memory/1064-13-0x000000001BD00000-0x000000001BD56000-memory.dmp

Filesize
344KB

Download
memory/1064-18-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/1064-17-0x000000001BD60000-0x000000001BD68000-memory.dmp

Filesize
32KB

Download
memory/1064-0-0x00007FFBCDF43000-0x00007FFBCDF45000-memory.dmp

Filesize
8KB

Download
memory/1064-15-0x00000000033C0000-0x00000000033C8000-memory.dmp

Filesize
32KB

Download
memory/1064-14-0x00000000033B0000-0x00000000033B8000-memory.dmp

Filesize
32KB

Download
memory/1064-5-0x000000001BCB0000-0x000000001BD00000-memory.dmp

Filesize
320KB

Download
memory/1064-20-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/1064-22-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

Filesize
48KB

Download
memory/1064-21-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

Filesize
32KB

Download
memory/1064-23-0x000000001C6D0000-0x000000001C6DC000-memory.dmp

Filesize
48KB

Download
memory/1064-26-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp

Filesize
10.8MB

Download
memory/1064-28-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp

Filesize
10.8MB

Download
memory/1064-27-0x000000001C740000-0x000000001C74C000-memory.dmp

Filesize
48KB

Download
memory/1064-24-0x000000001C720000-0x000000001C728000-memory.dmp

Filesize
32KB

Download
memory/1064-25-0x000000001C730000-0x000000001C73A000-memory.dmp

Filesize
40KB

Download
memory/1064-4-0x00000000018D0000-0x00000000018EC000-memory.dmp

Filesize
112KB

Download
memory/1064-3-0x00000000018A0000-0x00000000018A8000-memory.dmp

Filesize
32KB

Download
memory/1064-205-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp

Filesize
10.8MB

Download
memory/1064-2-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp

Filesize
10.8MB

Download
memory/1064-1-0x0000000000E20000-0x00000000010E0000-memory.dmp

Filesize
2.8MB

Download
memory/1632-215-0x000001E122EB0000-0x000001E122ED2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads