dcrat | 9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Size

1.5MB
MD5

8261fc22f84b5aeed1dd90a21e189642
SHA1

14d5d5ab37929a700f93adfcb460da55b7409b34
SHA256

9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c
SHA512

f3c530c918c332a1cd21f9c9fb9593772616c9e90436ea6219296612c047a526c73326944f592f23c81cd2e8b4fa5168f52bf8c1f5133d0db03b5d9923179cec
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\", \"C:\\Windows\\hh\\sysmon.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Documents and Settings\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\KBDBHC\\RuntimeBroker.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\KBDBHC\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\TSWorkspace\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\", \"C:\\Windows\\hh\\sysmon.exe\", \"C:\\Documents and Settings\\smss.exe\", \"C:\\Windows\\System32\\KBDBHC\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\TSWorkspace\\taskhostw.exe\", \"C:\\PerfLogs\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	320	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	320	schtasks.exe	82

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4324	powershell.exe
3620	powershell.exe
4980	powershell.exe
4604	powershell.exe
2932	powershell.exe
4804	powershell.exe
1764	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 17 IoCs

pid	Process
4184	RuntimeBroker.exe
3176	RuntimeBroker.exe
4940	RuntimeBroker.exe
4112	RuntimeBroker.exe
2392	RuntimeBroker.exe
2256	RuntimeBroker.exe
3976	RuntimeBroker.exe
2136	RuntimeBroker.exe
3212	RuntimeBroker.exe
3088	RuntimeBroker.exe
4900	RuntimeBroker.exe
2268	RuntimeBroker.exe
4380	RuntimeBroker.exe
1604	RuntimeBroker.exe
1648	RuntimeBroker.exe
1660	RuntimeBroker.exe
4884	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\TSWorkspace\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\PerfLogs\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\hh\\sysmon.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\hh\\sysmon.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\PerfLogs\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\System32\\osbaseln\\MusNotification.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDBHC\\RuntimeBroker.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\KBDBHC\\RuntimeBroker.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\TSWorkspace\\taskhostw.exe\""	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\KBDBHC\9e8d7a4ca61bd9	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\TSWorkspace\taskhostw.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\osbaseln\MusNotification.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\osbaseln\MusNotification.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\osbaseln\aa97147c4c782d	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\KBDBHC\RuntimeBroker.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\KBDBHC\RuntimeBroker.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\TSWorkspace\RCXB319.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\TSWorkspace\taskhostw.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\System32\TSWorkspace\ea9f0e6c9e2dcd	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\osbaseln\RCXAA2B.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\System32\KBDBHC\RCXB114.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hh\sysmon.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\hh\sysmon.exe	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File created	C:\Windows\hh\121e5b5079f7c0	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
File opened for modification	C:\Windows\hh\RCXAC30.tmp	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1092	schtasks.exe
516	schtasks.exe
1800	schtasks.exe
740	schtasks.exe
5044	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
2932	powershell.exe
4604	powershell.exe
4980	powershell.exe
4324	powershell.exe
3620	powershell.exe
3620	powershell.exe
1764	powershell.exe
1764	powershell.exe
4804	powershell.exe
4804	powershell.exe
2932	powershell.exe
2932	powershell.exe
4324	powershell.exe
4324	powershell.exe
4980	powershell.exe
4980	powershell.exe
3620	powershell.exe
4604	powershell.exe
4604	powershell.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
1764	powershell.exe
3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
4804	powershell.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe
4184	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4184	RuntimeBroker.exe
Token: SeDebugPrivilege	3176	RuntimeBroker.exe
Token: SeDebugPrivilege	4940	RuntimeBroker.exe
Token: SeDebugPrivilege	4112	RuntimeBroker.exe
Token: SeDebugPrivilege	2392	RuntimeBroker.exe
Token: SeDebugPrivilege	2256	RuntimeBroker.exe
Token: SeDebugPrivilege	3976	RuntimeBroker.exe
Token: SeDebugPrivilege	2136	RuntimeBroker.exe
Token: SeDebugPrivilege	3212	RuntimeBroker.exe
Token: SeDebugPrivilege	3088	RuntimeBroker.exe
Token: SeDebugPrivilege	4900	RuntimeBroker.exe
Token: SeDebugPrivilege	2268	RuntimeBroker.exe
Token: SeDebugPrivilege	4380	RuntimeBroker.exe
Token: SeDebugPrivilege	1604	RuntimeBroker.exe
Token: SeDebugPrivilege	1648	RuntimeBroker.exe
Token: SeDebugPrivilege	1660	RuntimeBroker.exe
Token: SeDebugPrivilege	4884	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4804	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	92
PID 3672 wrote to memory of 4804	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	92
PID 3672 wrote to memory of 2932	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	93
PID 3672 wrote to memory of 2932	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	93
PID 3672 wrote to memory of 4604	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	94
PID 3672 wrote to memory of 4604	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	94
PID 3672 wrote to memory of 4980	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	95
PID 3672 wrote to memory of 4980	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	95
PID 3672 wrote to memory of 3620	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	96
PID 3672 wrote to memory of 3620	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	96
PID 3672 wrote to memory of 4324	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	97
PID 3672 wrote to memory of 4324	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	97
PID 3672 wrote to memory of 1764	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	98
PID 3672 wrote to memory of 1764	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	98
PID 3672 wrote to memory of 4184	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	106
PID 3672 wrote to memory of 4184	3672	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe	106
PID 4184 wrote to memory of 5000	4184	RuntimeBroker.exe	107
PID 4184 wrote to memory of 5000	4184	RuntimeBroker.exe	107
PID 4184 wrote to memory of 4768	4184	RuntimeBroker.exe	108
PID 4184 wrote to memory of 4768	4184	RuntimeBroker.exe	108
PID 5000 wrote to memory of 3176	5000	WScript.exe	112
PID 5000 wrote to memory of 3176	5000	WScript.exe	112
PID 3176 wrote to memory of 3968	3176	RuntimeBroker.exe	113
PID 3176 wrote to memory of 3968	3176	RuntimeBroker.exe	113
PID 3176 wrote to memory of 3112	3176	RuntimeBroker.exe	114
PID 3176 wrote to memory of 3112	3176	RuntimeBroker.exe	114
PID 3968 wrote to memory of 4940	3968	WScript.exe	115
PID 3968 wrote to memory of 4940	3968	WScript.exe	115
PID 4940 wrote to memory of 3064	4940	RuntimeBroker.exe	116
PID 4940 wrote to memory of 3064	4940	RuntimeBroker.exe	116
PID 4940 wrote to memory of 3952	4940	RuntimeBroker.exe	117
PID 4940 wrote to memory of 3952	4940	RuntimeBroker.exe	117
PID 3064 wrote to memory of 4112	3064	WScript.exe	118
PID 3064 wrote to memory of 4112	3064	WScript.exe	118
PID 4112 wrote to memory of 4180	4112	RuntimeBroker.exe	119
PID 4112 wrote to memory of 4180	4112	RuntimeBroker.exe	119
PID 4112 wrote to memory of 3520	4112	RuntimeBroker.exe	121
PID 4112 wrote to memory of 3520	4112	RuntimeBroker.exe	121
PID 4180 wrote to memory of 2392	4180	WScript.exe	123
PID 4180 wrote to memory of 2392	4180	WScript.exe	123
PID 2392 wrote to memory of 3884	2392	RuntimeBroker.exe	124
PID 2392 wrote to memory of 3884	2392	RuntimeBroker.exe	124
PID 2392 wrote to memory of 2516	2392	RuntimeBroker.exe	125
PID 2392 wrote to memory of 2516	2392	RuntimeBroker.exe	125
PID 3884 wrote to memory of 2256	3884	WScript.exe	126
PID 3884 wrote to memory of 2256	3884	WScript.exe	126
PID 2256 wrote to memory of 2468	2256	RuntimeBroker.exe	127
PID 2256 wrote to memory of 2468	2256	RuntimeBroker.exe	127
PID 2256 wrote to memory of 1984	2256	RuntimeBroker.exe	128
PID 2256 wrote to memory of 1984	2256	RuntimeBroker.exe	128
PID 2468 wrote to memory of 3976	2468	WScript.exe	129
PID 2468 wrote to memory of 3976	2468	WScript.exe	129
PID 3976 wrote to memory of 3680	3976	RuntimeBroker.exe	130
PID 3976 wrote to memory of 3680	3976	RuntimeBroker.exe	130
PID 3976 wrote to memory of 2312	3976	RuntimeBroker.exe	131
PID 3976 wrote to memory of 2312	3976	RuntimeBroker.exe	131
PID 3680 wrote to memory of 2136	3680	WScript.exe	132
PID 3680 wrote to memory of 2136	3680	WScript.exe	132
PID 2136 wrote to memory of 4740	2136	RuntimeBroker.exe	133
PID 2136 wrote to memory of 4740	2136	RuntimeBroker.exe	133
PID 2136 wrote to memory of 4264	2136	RuntimeBroker.exe	134
PID 2136 wrote to memory of 4264	2136	RuntimeBroker.exe	134
PID 4740 wrote to memory of 3212	4740	WScript.exe	135
PID 4740 wrote to memory of 3212	4740	WScript.exe	135

System policy modification 1 TTPs 54 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe
"C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\osbaseln\MusNotification.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\hh\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDBHC\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\TSWorkspace\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\KBDBHC\RuntimeBroker.exe
  "C:\Windows\System32\KBDBHC\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4184
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c08ed48-b688-44d4-9382-ed5c66833746.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\KBDBHC\RuntimeBroker.exe
      C:\Windows\System32\KBDBHC\RuntimeBroker.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3176
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\717c475a-3018-4fb7-8460-a9fe7ce79265.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2733ef-9d63-4327-a678-6dccb9cfac10.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e06c475-dcc6-4a84-9eb4-6803c902952d.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8617b478-172c-4f7b-87ce-1ddda3a9294b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8ff3d35-5593-42c9-a954-8eaeb977b06b.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf2c3e38-6443-44c7-8939-7fd868ab3952.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a9549b4-0a9f-4c1d-869c-7581f9990988.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a3bf584-5f03-49cf-ba49-aa276e9e2563.vbs"
        19⤵
        
        PID:1228
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be24c3b7-7a14-4e9e-b5f1-6093cc453b4f.vbs"
        21⤵
        
        PID:1704
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b370706-5fe0-4781-b78f-ded7576ac428.vbs"
        23⤵
        
        PID:3616
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e157039d-de5a-490d-b2c3-a43a4c19be9c.vbs"
        25⤵
        
        PID:2760
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eae065c-19b5-4e20-b449-6877be02b624.vbs"
        27⤵
        
        PID:1308
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8463a489-b2ce-490a-911e-63543542c6fc.vbs"
        29⤵
        
        PID:4600
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2bf6257-56a1-4662-bd7a-b7f09df7ec62.vbs"
        31⤵
        
        PID:4116
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b50e522-519b-45bb-8b95-c7f15cfc414b.vbs"
        33⤵
        
        PID:2932
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        
        C:\Windows\System32\KBDBHC\RuntimeBroker.exe
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25924eb9-8819-45eb-a49b-ab585fe1557d.vbs"
        35⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\851f9b41-5076-4495-b34e-44c4fb28213d.vbs"
        35⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b70e51e-06c7-449f-b2f9-d59b0262c210.vbs"
        33⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3e3019b-d008-4009-881d-ed76f565b664.vbs"
        31⤵
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f34f820a-7b4a-4ba1-9f1c-8f5ad4a021d8.vbs"
        29⤵
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45bbeff8-d518-4fd7-a5be-63faeda5624e.vbs"
        27⤵
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44337373-2882-4c53-89fc-6fe9566d5dc3.vbs"
        25⤵
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a38b21fe-a753-4c16-968e-730558241d4a.vbs"
        23⤵
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c70a63-4ff5-4524-a6d3-7ba9e3ddcca9.vbs"
        21⤵
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7b8f116-cd7e-487a-b2ee-788eee94dc01.vbs"
        19⤵
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa16f78f-fe6c-43b0-abd2-b416cd6a6c43.vbs"
        17⤵
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab7a705-fd5b-4241-b954-0d602750b5cf.vbs"
        15⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fc9bb00-88de-4bab-a163-bc0773d18696.vbs"
        13⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c09ace5-cf9c-4f1c-881b-2e2ea7cb1ff5.vbs"
        11⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0001be7a-376d-4eb1-b85a-08f805c0c429.vbs"
        9⤵
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdbf7284-c1de-4bc4-8baf-b7b40e84c82b.vbs"
        7⤵
        
        PID:3952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c4f8312-22d9-485a-8cdd-f4d3c4f31155.vbs"
        5⤵
        
        PID:3112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4458a123-01d3-48c5-ab0d-219c7e1ad317.vbs"
    3⤵
    PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\System32\osbaseln\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\hh\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\KBDBHC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\TSWorkspace\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\PerfLogs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\taskhostw.exe

Filesize
1.5MB

MD5
369402384742d1504adaa13f0eeee1b4

SHA1
b26bc397ad2f7a094002333ccabb5f9086a64366

SHA256
1f54291a44653d923713c9345b10735c4afac6cfae6066bbe3445f3785f982ab

SHA512
874a8c4fd722998621a5e3d7c8dba3bcbfb6857e6d4e185a465a66038ac8473dc2c087c4457d0d17b4cf376e1ad2cf7dcf993595018fdb106ace87ce4617969c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c08ed48-b688-44d4-9382-ed5c66833746.vbs

Filesize
720B

MD5
18e8ff373df923d5921b7678b3d377da

SHA1
8984d324631934f845cde6d463489385b3dcfeda

SHA256
aa2985ec7db5b6f17bc36982268cb29c6253987dfa7ff123acc692dd44bcf0e5

SHA512
1cce247f0c8f585b0d3190e1fe4b71c96c3085e3ed53708cb80076286e052daaf03bfa51252290804948bd383bbbec5e254d25efdf740426bee12317dc0d84cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b2733ef-9d63-4327-a678-6dccb9cfac10.vbs

Filesize
720B

MD5
3d76b5edc5f9fb5ee9b0bacf638a23cf

SHA1
9812bd54b7c01ad8699e837daca20732ff3eff2d

SHA256
3308a168389effd302b552e3e03c06479b4d68e6816fb7e541d3ae59eb382558

SHA512
5820a882ef52d58b96e08d83a45043b8592b1235775f65cf04fb75dd37bb99d82602eb82d73eabfc186fa4aa9dd5f79a77fcafc3e6d448b2f520945f7e49f99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a9549b4-0a9f-4c1d-869c-7581f9990988.vbs

Filesize
720B

MD5
7cb0440cbbb5e3a8b9ee00cd421826cc

SHA1
017fe11ab4266bb120d49402be40b6c10dde6fbe

SHA256
f353e12c7c4e6961e273a0ff2b5baa68da35e9e59b36a1cc01fe2a1bcf543e06

SHA512
255204c8336f69cbc43d98482cd864b9b1aed29bdb777e97f5ec2066bbda88c78a8137d4362383888f260358e4b12d7f41cb43a7d7219abd947aee80e8fe26f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4458a123-01d3-48c5-ab0d-219c7e1ad317.vbs

Filesize
496B

MD5
a8a1b7234d394d67bc437b0c01ad08fd

SHA1
8ad17f533cb0da809057c4114355e7bd7282a358

SHA256
33f6410535d929090245c4879d9fce5b1b5ed98338ac1536a15fdb716b09ec78

SHA512
87f1e0136d4de93ed9418357282d4ad02b93d0b121057a0a006330ca176fd38a29380087897c72f6f6d58cd1c9e49e5dc94bf8c4e1f7a78182d17e30ea5c7820

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eae065c-19b5-4e20-b449-6877be02b624.vbs

Filesize
720B

MD5
eebf7ca970ec05f94319931a8d85f9bf

SHA1
7d5f0a90be8a59240b87fc4c8f7a5d7f10191341

SHA256
ee76d556c87c34d98434ca00482f1f9a6c95bbb0b1e904d90eb5a3bc4da42ef2

SHA512
cfea875c4141756d36ebcf49198f1c783c28f753f18150cec08e33ab1db1dbcdc967d622c08e2bab5c867e60ab4b2b3cc37c9c65467cbfbd60e2e4099d63be60

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e06c475-dcc6-4a84-9eb4-6803c902952d.vbs

Filesize
720B

MD5
bd9693e191b6fccd932c2bb665f8e1b7

SHA1
ff1ecb4cdaead0d954bf510db7be1efc3dcf9ec1

SHA256
11688408d239a1d0026659fa6c0303a38b73c7f181ef684109d46b5ebfa62747

SHA512
41d819f2f8520275220e914200d70ccf243d1c84b1fe78bf1f3976767c3cc88ae1e24ef3d30f2a4885a80789defb953084c871a0f542c20126bfad86e35037dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\717c475a-3018-4fb7-8460-a9fe7ce79265.vbs

Filesize
720B

MD5
9f84c1f710692ae2e95be08fb61169f5

SHA1
b276ff7b49e98737768faa038962b19dad4ec0e7

SHA256
089b84a92eae020d45184dcf9ab8e49f3ededd16cffce197ae7bab43b822198c

SHA512
8c1808e4772c12f08096400e1691c4a6cf758098c22c2a62b92e5c578b4425fc74b4a1c1d1d5f5c462ffa15aec0cb1476c63b4d7a4dccbea2d6ffefeea2fa7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\8463a489-b2ce-490a-911e-63543542c6fc.vbs

Filesize
720B

MD5
481c4e4d0a7fd2301ff4e33a7a6f1a7d

SHA1
9b2da29d72c1c93b68589e0be3780a8a61d43fa4

SHA256
6b98304074197570fcd04a54cae669cd1305fc7dc8438c279a8c3575d8ca16ef

SHA512
4694243fdb9d091170893d317628c48e35244524dd159d412d4e92437c22cc14e449b9de1f1a1feb24eff5b712d6ed89af3274d90b3d5be8d0b6da46bac01f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8617b478-172c-4f7b-87ce-1ddda3a9294b.vbs

Filesize
720B

MD5
23ed7a47b02e0c0f07788e8b98a820e6

SHA1
06967cf6ffcbd27ab1cef28ecc46cb68dacc9af1

SHA256
ed83f5a1a01eb06d5756e687aab9da1c81d8c4dcc8f517911b79648246981491

SHA512
1c15ad868796b53b59a688451208b4002abb98dd4a5ab7ac3dd8db7962c075aeb8fd58d8ecb72548988cedce5b1215077db5ec4c5d47f91c8a9d04fa51ef660e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b370706-5fe0-4781-b78f-ded7576ac428.vbs

Filesize
720B

MD5
0126e23151399d30b5865a641a693dc2

SHA1
892ec9ff5edbd087e903610200f3f6a6bdc4782d

SHA256
83f5c217c883a8dec28bf15d058918de1d13f9ad8e013fae56df1a2825c87752

SHA512
3ee26a34e5f1f30f747aef72dd6e7448b782bfbc1931fb4da79be0d594aedd508c2e0a1c445a780ba266a4909c27ddc299a178aec8edab810721d3d6d23f69b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a3bf584-5f03-49cf-ba49-aa276e9e2563.vbs

Filesize
720B

MD5
db8bd394db991e4a179febccce082830

SHA1
712f23ed193ba45666b1b7eaa66c5d6d9aea2778

SHA256
bedcb1a5298d3eb1597a5e7e1e8faa3566e1634cb7af3397e6d5e2f0af39ccde

SHA512
7d662e201d501347ebc8e39c0f63b5fc43ad4eb41c34dd87c0f03d7026408b214ed8fdb92c8ac88ba36836bdaba829c6f02b48df2c6f94eed0fd7545e4df5d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4qvepip.pkx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be24c3b7-7a14-4e9e-b5f1-6093cc453b4f.vbs

Filesize
720B

MD5
9f45ead8fb0854aaec97365db0ce8ae4

SHA1
5b98d673415a9fc70fb6a5a246ece1a51575d831

SHA256
e678f69e502229c0d1f83ed53205a3f5be9a4814e937daafe4c3037a56290e96

SHA512
ffab5a98966a6c086cf74e576fa3ab6884c12b4dc0187111868a5edda568531328b75b4bf2a0adbc252287eb729dbc9428101c7026d93b35b9ad93dd10ebcbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8ff3d35-5593-42c9-a954-8eaeb977b06b.vbs

Filesize
720B

MD5
2db4a9c88248a73bdc2da64af01fdbfd

SHA1
c823b30026b8f4e089e7aac2d6e5a3028180ae7c

SHA256
2ee4edbfdf5e1a1f77396f2424f38012f0e8da4cd6c4895644176070cb064a37

SHA512
d5cb2766badfa6f8a2694cf2589e3a05642cdb607a59db52964d85fa6ba012a4f70ad1437975b1740620757927740ebde65480da82740ffea4cdb7a1d4c9b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf2c3e38-6443-44c7-8939-7fd868ab3952.vbs

Filesize
720B

MD5
41c823e643017f3c810950cd1d170f50

SHA1
1eb6525068915133d087ce205b723e0f0f59bc6c

SHA256
2df4c99df9336784cff616a694bd7cffce90b5fa03192619122174b14d36166d

SHA512
5196ba9fc3eed4e1f34d7cfec25a163bcf2f1ea3db09fee70a1cc4fad0579156e408ccb8d2b525b4de06d19d6af028b95930d4b100174ca982ca21dc07581525

Download Submit
C:\Users\Admin\AppData\Local\Temp\e157039d-de5a-490d-b2c3-a43a4c19be9c.vbs

Filesize
720B

MD5
ff02eaa9199ad2de522c7ffc640d9d58

SHA1
a6908de3838bc835c46a2db866e85a0377d12d60

SHA256
d7d99185bf4de7ff55cb63af97e80071fe39f5f303a88165005de33c1e57fcda

SHA512
07265e018ea0def7268604ecb44e53909f2b76c9822c509a9b1e9ff0afdd379f4b975eec4a89d563cee12cef2661c7466fa6630ab1a16ee1eacbcc132c1da59f

Download Submit
C:\Windows\System32\KBDBHC\RCXB114.tmp

Filesize
1.5MB

MD5
ccf29c9d04bb3938fe6cf72e753b64b5

SHA1
e9ba9e67de398b804f211e6314b96c04a3ddd6ce

SHA256
1fcd1445192f795d9af56580db91044cdb998225b569c25c095a143726e7926d

SHA512
010c7930ed8a240f7f3d37a9645f48954cee78fc1e3dc3f8f3893ebfad75d98920646bdb53a01c120dc1d3ea4f8bf27b37d6f21859dec11ed6fbe551ef6d65bc

Download Submit
C:\Windows\System32\TSWorkspace\taskhostw.exe

Filesize
1.5MB

MD5
8261fc22f84b5aeed1dd90a21e189642

SHA1
14d5d5ab37929a700f93adfcb460da55b7409b34

SHA256
9eb24763a9480e2ea5e6d4c97999d9721b1e3aea11a9496bb21b89e94f44d78c

SHA512
f3c530c918c332a1cd21f9c9fb9593772616c9e90436ea6219296612c047a526c73326944f592f23c81cd2e8b4fa5168f52bf8c1f5133d0db03b5d9923179cec

Download Submit
memory/1604-379-0x000000001CEF0000-0x000000001CFF2000-memory.dmp

Filesize
1.0MB

Download
memory/2268-355-0x000000001D160000-0x000000001D262000-memory.dmp

Filesize
1.0MB

Download
memory/2932-140-0x000001D1228B0000-0x000001D1228D2000-memory.dmp

Filesize
136KB

Download
memory/3088-331-0x000000001DA40000-0x000000001DB42000-memory.dmp

Filesize
1.0MB

Download
memory/3212-318-0x000000001D270000-0x000000001D372000-memory.dmp

Filesize
1.0MB

Download
memory/3212-319-0x000000001D270000-0x000000001D372000-memory.dmp

Filesize
1.0MB

Download
memory/3672-0-0x00007FFCCDA23000-0x00007FFCCDA25000-memory.dmp

Filesize
8KB

Download
memory/3672-13-0x000000001B300000-0x000000001B30A000-memory.dmp

Filesize
40KB

Download
memory/3672-10-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/3672-9-0x000000001B1B0000-0x000000001B1BC000-memory.dmp

Filesize
48KB

Download
memory/3672-8-0x000000001B1A0000-0x000000001B1A8000-memory.dmp

Filesize
32KB

Download
memory/3672-7-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/3672-6-0x000000001B170000-0x000000001B17A000-memory.dmp

Filesize
40KB

Download
memory/3672-17-0x000000001B340000-0x000000001B34C000-memory.dmp

Filesize
48KB

Download
memory/3672-5-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/3672-1-0x00000000004F0000-0x000000000066E000-memory.dmp

Filesize
1.5MB

Download
memory/3672-4-0x000000001B160000-0x000000001B172000-memory.dmp

Filesize
72KB

Download
memory/3672-14-0x000000001B310000-0x000000001B31C000-memory.dmp

Filesize
48KB

Download
memory/3672-16-0x000000001B330000-0x000000001B338000-memory.dmp

Filesize
32KB

Download
memory/3672-15-0x000000001B320000-0x000000001B32A000-memory.dmp

Filesize
40KB

Download
memory/3672-3-0x000000001B150000-0x000000001B158000-memory.dmp

Filesize
32KB

Download
memory/3672-25-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-11-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

Filesize
64KB

Download
memory/3672-12-0x000000001B2F0000-0x000000001B2F8000-memory.dmp

Filesize
32KB

Download
memory/3672-24-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-214-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-21-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/3672-2-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-20-0x000000001B360000-0x000000001B36C000-memory.dmp

Filesize
48KB

Download
memory/3672-18-0x000000001B350000-0x000000001B358000-memory.dmp

Filesize
32KB

Download
memory/4112-252-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4380-367-0x000000001DC30000-0x000000001DD32000-memory.dmp

Filesize
1.0MB

Download
memory/4900-343-0x000000001D520000-0x000000001D622000-memory.dmp

Filesize
1.0MB

Download
memory/4940-240-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download