dcrat | d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Size

1.0MB
MD5

aea3d4caf079e299eea0b385a4dbbedd
SHA1

74b93127a847e2e2f2af6baa6b4ad6431c02ac63
SHA256

d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5
SHA512

8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9
SSDEEP

12288:sP2N7DeTXX5qeIeLsdxv/xedn6IwyMbfhC6hQs3uUbG6ddD7HFPMmXgAff+75LMF:sP28z7IeYxvJeKHdZH3OacV3d9CE4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		964	schtasks.exe
		3460	schtasks.exe
		4620	schtasks.exe
		3996	schtasks.exe
		2560	schtasks.exe
		3076	schtasks.exe
		3280	schtasks.exe
		2380	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		4772	schtasks.exe
		2884	schtasks.exe
		4612	schtasks.exe
		3228	schtasks.exe
		3408	schtasks.exe
		4036	schtasks.exe
		3552	schtasks.exe
		1320	schtasks.exe
		3788	schtasks.exe
		4344	schtasks.exe
		1524	schtasks.exe
		532	schtasks.exe
		2868	schtasks.exe
		3948	schtasks.exe
		1540	schtasks.exe
		5040	schtasks.exe
		3580	schtasks.exe
		4060	schtasks.exe
		1392	schtasks.exe
		1612	schtasks.exe
		3524	schtasks.exe
		4892	schtasks.exe
		4072	schtasks.exe
		4748	schtasks.exe
		4592	schtasks.exe
		4680	schtasks.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792		d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
		2844	schtasks.exe
		4704	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\RuntimeBroker.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\RuntimeBroker.exe\", \"C:\\Windows\\appcompat\\Programs\\SearchApp.exe\", \"C:\\Users\\Admin\\Local Settings\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\RuntimeBroker.exe\", \"C:\\Windows\\appcompat\\Programs\\SearchApp.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\Program Files\\Windows Mail\\services.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2424	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2424	schtasks.exe	83

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2656-1-0x00000000001A0000-0x00000000002AE000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c0c-27.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe
1676	powershell.exe
2780	powershell.exe
5088	powershell.exe
1560	powershell.exe
4064	powershell.exe
1236	powershell.exe
4204	powershell.exe
1444	powershell.exe
864	powershell.exe
2956	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
4952	RuntimeBroker.exe
2856	RuntimeBroker.exe
4516	RuntimeBroker.exe
2728	RuntimeBroker.exe
2852	RuntimeBroker.exe
1992	RuntimeBroker.exe
3112	RuntimeBroker.exe
1896	RuntimeBroker.exe
4016	RuntimeBroker.exe
3556	RuntimeBroker.exe
2964	RuntimeBroker.exe
1368	RuntimeBroker.exe
1724	RuntimeBroker.exe
1444	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\RuntimeBroker.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Local Settings\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Local Settings\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Mail\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Mail\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\upfc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\RuntimeBroker.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\appcompat\\Programs\\SearchApp.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5 = "\"C:\\Recovery\\WindowsRE\\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\appcompat\\Programs\\SearchApp.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\55b276f4edf653	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Mail\services.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\ModifiableWindowsApps\OfficeClickToRun.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\ea1d8f6d871115	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\upfc.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Multimedia Platform\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\wininit.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\OCR\it-it\sihost.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\appcompat\Programs\SearchApp.exe	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
File created	C:\Windows\appcompat\Programs\38384e6a620884	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4748	schtasks.exe
1392	schtasks.exe
1524	schtasks.exe
3580	schtasks.exe
1540	schtasks.exe
2380	schtasks.exe
4620	schtasks.exe
3460	schtasks.exe
2560	schtasks.exe
2844	schtasks.exe
3996	schtasks.exe
4072	schtasks.exe
5040	schtasks.exe
532	schtasks.exe
4612	schtasks.exe
3788	schtasks.exe
4592	schtasks.exe
3076	schtasks.exe
4344	schtasks.exe
3228	schtasks.exe
4036	schtasks.exe
1612	schtasks.exe
4704	schtasks.exe
3552	schtasks.exe
2868	schtasks.exe
4680	schtasks.exe
4772	schtasks.exe
4892	schtasks.exe
2884	schtasks.exe
964	schtasks.exe
3408	schtasks.exe
3524	schtasks.exe
4060	schtasks.exe
1320	schtasks.exe
3948	schtasks.exe
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
4204	powershell.exe
4064	powershell.exe
4064	powershell.exe
4064	powershell.exe
1236	powershell.exe
1236	powershell.exe
2956	powershell.exe
2956	powershell.exe
1560	powershell.exe
1560	powershell.exe
864	powershell.exe
864	powershell.exe
1676	powershell.exe
1676	powershell.exe
1444	powershell.exe
1444	powershell.exe
5088	powershell.exe
5088	powershell.exe
2780	powershell.exe
2780	powershell.exe
2308	powershell.exe
2308	powershell.exe
4204	powershell.exe
4204	powershell.exe
1676	powershell.exe
864	powershell.exe
1236	powershell.exe
2780	powershell.exe
1560	powershell.exe
2956	powershell.exe
1444	powershell.exe
5088	powershell.exe
2308	powershell.exe
4952	RuntimeBroker.exe
2856	RuntimeBroker.exe
4516	RuntimeBroker.exe
2728	RuntimeBroker.exe
2852	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	4952	RuntimeBroker.exe
Token: SeDebugPrivilege	2856	RuntimeBroker.exe
Token: SeDebugPrivilege	4516	RuntimeBroker.exe
Token: SeDebugPrivilege	2728	RuntimeBroker.exe
Token: SeDebugPrivilege	2852	RuntimeBroker.exe
Token: SeDebugPrivilege	1992	RuntimeBroker.exe
Token: SeDebugPrivilege	3112	RuntimeBroker.exe
Token: SeDebugPrivilege	1896	RuntimeBroker.exe
Token: SeDebugPrivilege	4016	RuntimeBroker.exe
Token: SeDebugPrivilege	3556	RuntimeBroker.exe
Token: SeDebugPrivilege	2964	RuntimeBroker.exe
Token: SeDebugPrivilege	1368	RuntimeBroker.exe
Token: SeDebugPrivilege	1724	RuntimeBroker.exe
Token: SeDebugPrivilege	1444	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2308	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	120
PID 2656 wrote to memory of 2308	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	120
PID 2656 wrote to memory of 4204	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	121
PID 2656 wrote to memory of 4204	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	121
PID 2656 wrote to memory of 1444	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	122
PID 2656 wrote to memory of 1444	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	122
PID 2656 wrote to memory of 864	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	123
PID 2656 wrote to memory of 864	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	123
PID 2656 wrote to memory of 1676	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	124
PID 2656 wrote to memory of 1676	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	124
PID 2656 wrote to memory of 2780	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	125
PID 2656 wrote to memory of 2780	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	125
PID 2656 wrote to memory of 5088	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	126
PID 2656 wrote to memory of 5088	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	126
PID 2656 wrote to memory of 1236	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	127
PID 2656 wrote to memory of 1236	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	127
PID 2656 wrote to memory of 4064	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	128
PID 2656 wrote to memory of 4064	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	128
PID 2656 wrote to memory of 1560	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	129
PID 2656 wrote to memory of 1560	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	129
PID 2656 wrote to memory of 2956	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	130
PID 2656 wrote to memory of 2956	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	130
PID 2656 wrote to memory of 3120	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	142
PID 2656 wrote to memory of 3120	2656	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe	142
PID 3120 wrote to memory of 3380	3120	cmd.exe	144
PID 3120 wrote to memory of 3380	3120	cmd.exe	144
PID 3120 wrote to memory of 4952	3120	cmd.exe	146
PID 3120 wrote to memory of 4952	3120	cmd.exe	146
PID 4952 wrote to memory of 1280	4952	RuntimeBroker.exe	148
PID 4952 wrote to memory of 1280	4952	RuntimeBroker.exe	148
PID 4952 wrote to memory of 4912	4952	RuntimeBroker.exe	149
PID 4952 wrote to memory of 4912	4952	RuntimeBroker.exe	149
PID 1280 wrote to memory of 2856	1280	WScript.exe	157
PID 1280 wrote to memory of 2856	1280	WScript.exe	157
PID 2856 wrote to memory of 4104	2856	RuntimeBroker.exe	161
PID 2856 wrote to memory of 4104	2856	RuntimeBroker.exe	161
PID 2856 wrote to memory of 3396	2856	RuntimeBroker.exe	162
PID 2856 wrote to memory of 3396	2856	RuntimeBroker.exe	162
PID 4104 wrote to memory of 4516	4104	WScript.exe	168
PID 4104 wrote to memory of 4516	4104	WScript.exe	168
PID 4516 wrote to memory of 4968	4516	RuntimeBroker.exe	170
PID 4516 wrote to memory of 4968	4516	RuntimeBroker.exe	170
PID 4516 wrote to memory of 2044	4516	RuntimeBroker.exe	171
PID 4516 wrote to memory of 2044	4516	RuntimeBroker.exe	171
PID 4968 wrote to memory of 2728	4968	WScript.exe	175
PID 4968 wrote to memory of 2728	4968	WScript.exe	175
PID 2728 wrote to memory of 2380	2728	RuntimeBroker.exe	177
PID 2728 wrote to memory of 2380	2728	RuntimeBroker.exe	177
PID 2728 wrote to memory of 4612	2728	RuntimeBroker.exe	178
PID 2728 wrote to memory of 4612	2728	RuntimeBroker.exe	178
PID 2380 wrote to memory of 2852	2380	WScript.exe	181
PID 2380 wrote to memory of 2852	2380	WScript.exe	181
PID 2852 wrote to memory of 2208	2852	RuntimeBroker.exe	183
PID 2852 wrote to memory of 2208	2852	RuntimeBroker.exe	183
PID 2852 wrote to memory of 3268	2852	RuntimeBroker.exe	184
PID 2852 wrote to memory of 3268	2852	RuntimeBroker.exe	184
PID 2208 wrote to memory of 1992	2208	WScript.exe	186
PID 2208 wrote to memory of 1992	2208	WScript.exe	186
PID 1992 wrote to memory of 1392	1992	RuntimeBroker.exe	188
PID 1992 wrote to memory of 1392	1992	RuntimeBroker.exe	188
PID 1992 wrote to memory of 3868	1992	RuntimeBroker.exe	189
PID 1992 wrote to memory of 3868	1992	RuntimeBroker.exe	189
PID 1392 wrote to memory of 3112	1392	WScript.exe	191
PID 1392 wrote to memory of 3112	1392	WScript.exe	191

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe
"C:\Users\Admin\AppData\Local\Temp\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7UvZ2eAAMh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3380
- - C:\Users\All Users\RuntimeBroker.exe
    "C:\Users\All Users\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0be0073-f4f3-4bfa-8c66-daf44d05e2af.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2856
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf704fd0-489e-4abd-b062-2014846a5828.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb25d45c-8615-44ad-8ebd-42fff5af6e59.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\556d0e9e-2e99-4f80-ad80-e5d4b7081998.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe0a6a6-dca1-4da4-a454-341a537b44bc.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95a49835-d735-4ca4-a3b8-e55f74f9e1bb.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42cae0e0-0a68-4af9-9bd4-a07694f86522.vbs"
        16⤵
        
        PID:1156
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7839662b-3f19-4737-bcc5-73ad8322a0f4.vbs"
        18⤵
        
        PID:2136
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ef2169-a73f-483e-acac-b44c92415cff.vbs"
        20⤵
        
        PID:4496
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0e78634-8bfe-4601-a0c1-4ef24bea921b.vbs"
        22⤵
        
        PID:4956
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39323a97-3295-4c83-82d7-58bc5ee279ba.vbs"
        24⤵
        
        PID:2956
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a5bbae-479c-4a9d-8bc1-85fa76eb3e3d.vbs"
        26⤵
        
        PID:1540
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343a5684-60b7-41ab-8900-314c4caa8e95.vbs"
        28⤵
        
        PID:4308
        
        C:\Users\All Users\RuntimeBroker.exe
        
        "C:\Users\All Users\RuntimeBroker.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62d6aa24-90da-4a41-ac85-92adb9c34e42.vbs"
        30⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e3c5324-1515-4d00-afb4-6c4b7f1feb7b.vbs"
        30⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32dc5f24-dfd6-4851-8113-aaef7bd9e548.vbs"
        28⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34c8bdac-4164-4719-85c6-9512a1dbdf4a.vbs"
        26⤵
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01eb802-0b77-4023-ad75-2566c790ecd9.vbs"
        24⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f3c0d22-04c7-4f06-b2e1-3678eae8a70d.vbs"
        22⤵
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c4df56e-84ac-4fa8-9b6e-e3f9aa68d3e7.vbs"
        20⤵
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa46f8d1-7dc6-4a69-b1db-12c9bcbba575.vbs"
        18⤵
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79dc92e3-b66a-4df2-9ea9-75d95d3afeb6.vbs"
        16⤵
        
        PID:4628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b72ca56-da97-4d36-9550-8010e656ac8b.vbs"
        14⤵
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b11e08c-9bc2-42b7-b471-6d66983e27bf.vbs"
        12⤵
        
        PID:3268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\710503a4-aebb-47cd-bea0-85ee44e9bda6.vbs"
        10⤵
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c54b296-b739-49bb-b76a-1a4c9a5422b2.vbs"
        8⤵
        
        PID:2044
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60eec87-8c65-4cd1-a49b-f4f9494e3611.vbs"
        6⤵
        
        PID:3396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc13a008-2867-42e4-9527-03dacfe2107e.vbs"
      4⤵
      PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5d" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\Programs\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\Programs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Configuration\upfc.exe

Filesize
1.0MB

MD5
aea3d4caf079e299eea0b385a4dbbedd

SHA1
74b93127a847e2e2f2af6baa6b4ad6431c02ac63

SHA256
d2196c5c358f43597a318e032bfd158b9c0ef318be6a2323acd2508bd6d23dc5

SHA512
8df72070ac43ee5b3e0ba8e958b0b5132229be9c6b1ed07bc0d26cbaeb27199fda53ca0cbe80c39f6af878db84d06206f59cb9bf97b64dc61b7f47237e1edbd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\33a5bbae-479c-4a9d-8bc1-85fa76eb3e3d.vbs

Filesize
712B

MD5
3d90593b1b4fc5fcce344fb9e3eb1d04

SHA1
7ad64fa5e38e015f2d0251470d8f533ae217c3a7

SHA256
bee109a1de10ba114292a21be6d23345d23161d17b6a34a5b8e0a7396ed9534f

SHA512
6f75d50af539faca0613ad9bcc4607505b5f9e4779ee11ea67ff8604dcbd29a1b618d12799e0e9fabae4a6b088d6a7c375f74e6db9655e0dd4c63dbc812a51eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\343a5684-60b7-41ab-8900-314c4caa8e95.vbs

Filesize
712B

MD5
fe871371a726037aa366881726d737c2

SHA1
9fb6a5b6a54da3cbd033ec092439e96af443cada

SHA256
be7e0e26bbf864a8095a5c741907504403982b9caa05f908d7791b69527eaa03

SHA512
a75007c6ccdd2ecf61822091ef1a5cf290f7cf7d1eb63fb6455a062a9ba4727008c866ada61dac3faf8a56920c3e90022ce23c2d2a09bfa9749a7c077c0d4d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\39323a97-3295-4c83-82d7-58bc5ee279ba.vbs

Filesize
712B

MD5
124a6222939e5d5a776babefcbee747c

SHA1
ce955045c190316617ab89b6d33507aa06315c6d

SHA256
13f16ddb060c0d7d41b388082a6f5821c34e29a0b72918e8caf5d9fc61074787

SHA512
8af10117eaeb5ecdeeaf28a970413ed13a7dcba242c6de6c63595169ca7453a4e9929aff02a80c126f860601a1da6970713a4eb6b4f536b50113e34c56169362

Download Submit
C:\Users\Admin\AppData\Local\Temp\42cae0e0-0a68-4af9-9bd4-a07694f86522.vbs

Filesize
712B

MD5
82c098cab208acbdd73e76c5acfeaf25

SHA1
e679509917495248d533d441f42be13878d05787

SHA256
1c1940d7cc4c13094bed7ebbff8e55a70a9f764a77f1dba2f43f9b415a7d73fc

SHA512
2b83000c81bd7262181f13f4d8de88cb79facafb6f33deeef36ccc0f4f62899a82c0ad32c3a544568b8c76587be3b833b8d9eff0aa9474ecdd671885a612ad8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\556d0e9e-2e99-4f80-ad80-e5d4b7081998.vbs

Filesize
712B

MD5
2ba84f85ef917bf69708ce2d13937f44

SHA1
dc03c15e0060fddfd671b3f3018f2d2fbd14dffd

SHA256
bf574fb47845004fc14c9e91b3076a9b6e5e45472b9570a9062cbfdceab0cad0

SHA512
f7f9cdcd58a6bf8a136d2280cbc822bd67e6513f0196da80ae37ef1188de686646cfe2cf5cebfa2f4480abbf913c3c0af90eac724f4da9693b302fcd48bfe282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7839662b-3f19-4737-bcc5-73ad8322a0f4.vbs

Filesize
712B

MD5
8a10d6fb3c62432f291456fd2c3dfc70

SHA1
60053fabd396514f05f50621fda41d6d478345a3

SHA256
bc1e70ff5a2846f8e93cf86b1741a61d2aee54bf5f703d6ba2cce50e0abe5b36

SHA512
74ff5246b2f31208f1e7088d71dfe4ae5c0da755e1e18025b8a30ea8a02f7bd664778e9427f79ba162848407738331d82e13c7c68b314651874b9ff997632046

Download Submit
C:\Users\Admin\AppData\Local\Temp\7UvZ2eAAMh.bat

Filesize
201B

MD5
b16f508fb3e57b967ab89b5a5de334b9

SHA1
1327268933316525b78cf9721400b12d64ebe290

SHA256
9ed08b0898443b567a9b2c44f9ae93909d0ea4deb9c5e21f96b2743038d62c01

SHA512
81877264c29685dbece3d8789190e36daca279925938c767f4cadfbb30a5f3a2f0c3d1709fd37632a8ab6a7ff10d430c0c669b8217a3db309b01f5e86631213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95a49835-d735-4ca4-a3b8-e55f74f9e1bb.vbs

Filesize
712B

MD5
222bd39d229cb6eba2cd669d809433df

SHA1
ffecb82ba20339d7f0f59071b6a751db8f95468e

SHA256
227b8979feef2a89451a3f650678fa068e813e01e4ebef141527e819d4cb6038

SHA512
c13c37e3d979130420f7ab9aa2cce50cd160211cb6c9960789bc258fad0cf2a22e8676a8febfbdc6447d93525c2b2ff66b92267957cd498857f2e2642abe7812

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rp2t0ott.lpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\afe0a6a6-dca1-4da4-a454-341a537b44bc.vbs

Filesize
712B

MD5
57f67ff8cb22177ceb6f344a30a32a0b

SHA1
ed472175c9ad05e79c5ca3bf51886ed2b5c32c93

SHA256
b87a945146df9b48c2cf242e7f6435b147571d309e19eb73e8936467f827f180

SHA512
f11b0ac1c8348fbba54b738303e4327ee0e6bb89416f39988ec0ad17edfa18f7657488c3a482e93d280aacfd130e1babffda45c363bab9d73e5725c52e64cad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0e78634-8bfe-4601-a0c1-4ef24bea921b.vbs

Filesize
712B

MD5
8ec4f9a6b49a1eb550cf7a27b88d3453

SHA1
d1ab6675c60a733c3a0ceb6d02047ea2ce6aa0eb

SHA256
494d9c670236e9b2ea39091b020abc0a7170ed74520a68622f9fb1e413111a76

SHA512
b3da2946bf6c9b9d27f4738f19d9f080cc13897abd07c6231cc53b1857cdbf634f225798bcf5f0a6a08c6ab132b7da556e29516927c8a216a4e99b8a924d09d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf704fd0-489e-4abd-b062-2014846a5828.vbs

Filesize
712B

MD5
a19aad9b4e9cb7b20f2d7e318c0a2ab8

SHA1
f5fa46906c6d4e50b39896ad68796b5c9920d3a6

SHA256
53e4a9330ca685c85b1c2bfc6f45bcf45f5d12edcfa0a41fc6351dff7de85549

SHA512
dfc76bb2b46246bbf70db9f8958628636c14b27be113e0d4cd0877dd85d382663acc9c0ba0fbfbceecefa216f12576670eb84faef795164d9625ac5588e8eb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5ef2169-a73f-483e-acac-b44c92415cff.vbs

Filesize
712B

MD5
b0d49c22fe2036a649d788977d450f14

SHA1
0a816a82a004f82affd00ddac6ff2ba458f79e94

SHA256
4098d30a514cdb9b4796a85eb391360a1fd168e3536e038c2a23f2dc5a00f0fe

SHA512
0dbfea0e1890778ca2a906cc807d960fb0cad711b2a6a68e929b0f8f43605cc398552e0fd07b7ef4f58f92f2102157959d97942b9181aaa556e1537f4830b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc13a008-2867-42e4-9527-03dacfe2107e.vbs

Filesize
488B

MD5
754d8740e5d2ed91e22e0f6521eaa980

SHA1
6d2fd39044b34189829d56ecf156f6565ba2c7e7

SHA256
8fa99e4ec490c25eaa4156badefe2f97a70c0dfbde6c6ebc9481e691ea9319fe

SHA512
d133bdf4a9c210283a6201df90938e6fe5d3d97052ced624068f17f1d9439bff97ce1008b069e65d84e922ec8fa665c07b30d32888dc060087f62c637620da37

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0be0073-f4f3-4bfa-8c66-daf44d05e2af.vbs

Filesize
712B

MD5
d4dfca5f1a0d0089327115d9f3d882c4

SHA1
4eb659216c5e8133c4b02002615494f019b94b79

SHA256
aad73780df124701640598ee7bb4426eb7376036d515eb00ca147904c389f5b2

SHA512
ab22d44de75473b515081319b8836a96ecbcb0394cb0c20f59a5d1428bcdc8964d3f70f48787d75340729e2f5f1dab9b5d1bab9b57f5ea64274139b39b58e596

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb25d45c-8615-44ad-8ebd-42fff5af6e59.vbs

Filesize
712B

MD5
df7c2045c5bd2b8024a50e3326511a2c

SHA1
09a180dddb9f1e621dfd54e9508981abef991bcc

SHA256
9c48852989e516dff6e9b5b589ae9a8a2e278e051ee71f17f07c23a5d743f677

SHA512
0e29ec4b9c643760c15e0d1f36a8bad6b02c947489e92a07fb442109fb3abd9be59da334ae8bdc9e605d7c4de035e57b92b5b8292a3ea7f2cd3bf6bd75ea5139

Download Submit
memory/1992-242-0x000000001D8E0000-0x000000001D9E2000-memory.dmp

Filesize
1.0MB

Download
memory/2656-0-0x00007FF8DBAB3000-0x00007FF8DBAB5000-memory.dmp

Filesize
8KB

Download
memory/2656-3-0x0000000002320000-0x000000000233C000-memory.dmp

Filesize
112KB

Download
memory/2656-18-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/2656-15-0x000000001AED0000-0x000000001AED8000-memory.dmp

Filesize
32KB

Download
memory/2656-16-0x000000001AEE0000-0x000000001AEEE000-memory.dmp

Filesize
56KB

Download
memory/2656-14-0x000000001AEC0000-0x000000001AECE000-memory.dmp

Filesize
56KB

Download
memory/2656-13-0x000000001AEB0000-0x000000001AEBA000-memory.dmp

Filesize
40KB

Download
memory/2656-9-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/2656-4-0x000000001AE50000-0x000000001AEA0000-memory.dmp

Filesize
320KB

Download
memory/2656-17-0x000000001B580000-0x000000001B58A000-memory.dmp

Filesize
40KB

Download
memory/2656-11-0x000000001AE40000-0x000000001AE48000-memory.dmp

Filesize
32KB

Download
memory/2656-112-0x00007FF8DBAB0000-0x00007FF8DC571000-memory.dmp

Filesize
10.8MB

Download
memory/2656-10-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/2656-2-0x00007FF8DBAB0000-0x00007FF8DC571000-memory.dmp

Filesize
10.8MB

Download
memory/2656-8-0x000000001AE10000-0x000000001AE1C000-memory.dmp

Filesize
48KB

Download
memory/2656-1-0x00000000001A0000-0x00000000002AE000-memory.dmp

Filesize
1.1MB

Download
memory/2656-7-0x000000001AE00000-0x000000001AE0A000-memory.dmp

Filesize
40KB

Download
memory/2656-5-0x000000001ADC0000-0x000000001ADC8000-memory.dmp

Filesize
32KB

Download
memory/2656-6-0x000000001ADD0000-0x000000001ADE6000-memory.dmp

Filesize
88KB

Download
memory/2656-12-0x000000001AEA0000-0x000000001AEA8000-memory.dmp

Filesize
32KB

Download
memory/2728-218-0x000000001D630000-0x000000001D732000-memory.dmp

Filesize
1.0MB

Download
memory/2852-230-0x000000001DAB0000-0x000000001DBB2000-memory.dmp

Filesize
1.0MB

Download
memory/3112-254-0x000000001D5F0000-0x000000001D6F2000-memory.dmp

Filesize
1.0MB

Download
memory/4064-56-0x000002CA579F0000-0x000002CA57A12000-memory.dmp

Filesize
136KB

Download