dcrat | 26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Size

1.5MB
MD5

a5fab16bfd5f2f5b2beef03fc634c78b
SHA1

e2876e25315d4109734bd0ffa2e3d50db7550f5e
SHA256

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7
SHA512

a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRQ:EzhWhCXQFN+0IEuQgyiVK4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		464	schtasks.exe
		3688	schtasks.exe
		3560	schtasks.exe
		1644	schtasks.exe
		2828	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\6cb0b6c459d5d3		26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
		1540	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\", \"C:\\Documents and Settings\\Registry.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\", \"C:\\Documents and Settings\\Registry.exe\", \"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\", \"C:\\Documents and Settings\\Registry.exe\", \"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\", \"C:\\Windows\\System32\\NgcCtnrSvc\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\", \"C:\\Documents and Settings\\Registry.exe\", \"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\", \"C:\\Windows\\System32\\NgcCtnrSvc\\SppExtComObj.exe\", \"C:\\Windows\\System32\\CloudExperienceHostCommon\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\", \"C:\\Documents and Settings\\Registry.exe\", \"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\", \"C:\\Windows\\System32\\NgcCtnrSvc\\SppExtComObj.exe\", \"C:\\Windows\\System32\\CloudExperienceHostCommon\\RuntimeBroker.exe\", \"C:\\Program Files\\Crashpad\\reports\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	4560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4560	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4560	schtasks.exe	83

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
4496	powershell.exe
1416	powershell.exe
3952	powershell.exe
1748	powershell.exe
3344	powershell.exe
4844	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 17 IoCs

pid	Process
1936	dwm.exe
2836	dwm.exe
4528	dwm.exe
1872	dwm.exe
4212	dwm.exe
888	dwm.exe
2212	dwm.exe
548	dwm.exe
2652	dwm.exe
3580	dwm.exe
3564	dwm.exe
312	dwm.exe
1444	dwm.exe
1440	dwm.exe
4568	dwm.exe
1188	dwm.exe
3696	dwm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Documents and Settings\\Registry.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\NgcCtnrSvc\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\NgcCtnrSvc\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CloudExperienceHostCommon\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CloudExperienceHostCommon\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Documents and Settings\\Registry.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\msvcp110_win\\SppExtComObj.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Crashpad\\reports\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Crashpad\\reports\\RuntimeBroker.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\dwm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\msvcp110_win\SppExtComObj.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\NgcCtnrSvc\SppExtComObj.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\CloudExperienceHostCommon\9e8d7a4ca61bd9	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\msvcp110_win\RCXC0A3.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\msvcp110_win\SppExtComObj.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NgcCtnrSvc\RCXC2A8.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NgcCtnrSvc\SppExtComObj.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\msvcp110_win\e1ef82546f0b02	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\NgcCtnrSvc\e1ef82546f0b02	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\CloudExperienceHostCommon\RuntimeBroker.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\CloudExperienceHostCommon\RCXC51A.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\CloudExperienceHostCommon\RuntimeBroker.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\RuntimeBroker.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Program Files\Crashpad\reports\9e8d7a4ca61bd9	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXBBBF.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXC78C.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Crashpad\reports\RuntimeBroker.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\6cb0b6c459d5d3	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1540	schtasks.exe
464	schtasks.exe
3688	schtasks.exe
3560	schtasks.exe
1644	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
3344	powershell.exe
3344	powershell.exe
1748	powershell.exe
3952	powershell.exe
4844	powershell.exe
2908	powershell.exe
1416	powershell.exe
4496	powershell.exe
3952	powershell.exe
3952	powershell.exe
4844	powershell.exe
4844	powershell.exe
1416	powershell.exe
1416	powershell.exe
2908	powershell.exe
2908	powershell.exe
1748	powershell.exe
1748	powershell.exe
4496	powershell.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
1936	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe
2836	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1936	dwm.exe
Token: SeDebugPrivilege	2836	dwm.exe
Token: SeDebugPrivilege	4528	dwm.exe
Token: SeDebugPrivilege	1872	dwm.exe
Token: SeDebugPrivilege	4212	dwm.exe
Token: SeDebugPrivilege	888	dwm.exe
Token: SeDebugPrivilege	2212	dwm.exe
Token: SeDebugPrivilege	548	dwm.exe
Token: SeDebugPrivilege	2652	dwm.exe
Token: SeDebugPrivilege	3580	dwm.exe
Token: SeDebugPrivilege	3564	dwm.exe
Token: SeDebugPrivilege	312	dwm.exe
Token: SeDebugPrivilege	1444	dwm.exe
Token: SeDebugPrivilege	1440	dwm.exe
Token: SeDebugPrivilege	4568	dwm.exe
Token: SeDebugPrivilege	1188	dwm.exe
Token: SeDebugPrivilege	3696	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1748	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	90
PID 2808 wrote to memory of 1748	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	90
PID 2808 wrote to memory of 3344	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	91
PID 2808 wrote to memory of 3344	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	91
PID 2808 wrote to memory of 4844	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	92
PID 2808 wrote to memory of 4844	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	92
PID 2808 wrote to memory of 2908	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	93
PID 2808 wrote to memory of 2908	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	93
PID 2808 wrote to memory of 4496	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	94
PID 2808 wrote to memory of 4496	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	94
PID 2808 wrote to memory of 1416	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	95
PID 2808 wrote to memory of 1416	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	95
PID 2808 wrote to memory of 3952	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	96
PID 2808 wrote to memory of 3952	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	96
PID 2808 wrote to memory of 4112	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	103
PID 2808 wrote to memory of 4112	2808	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	103
PID 4112 wrote to memory of 4684	4112	cmd.exe	106
PID 4112 wrote to memory of 4684	4112	cmd.exe	106
PID 4112 wrote to memory of 1936	4112	cmd.exe	110
PID 4112 wrote to memory of 1936	4112	cmd.exe	110
PID 1936 wrote to memory of 4936	1936	dwm.exe	111
PID 1936 wrote to memory of 4936	1936	dwm.exe	111
PID 1936 wrote to memory of 3548	1936	dwm.exe	112
PID 1936 wrote to memory of 3548	1936	dwm.exe	112
PID 4936 wrote to memory of 2836	4936	WScript.exe	118
PID 4936 wrote to memory of 2836	4936	WScript.exe	118
PID 2836 wrote to memory of 1588	2836	dwm.exe	119
PID 2836 wrote to memory of 1588	2836	dwm.exe	119
PID 2836 wrote to memory of 3004	2836	dwm.exe	120
PID 2836 wrote to memory of 3004	2836	dwm.exe	120
PID 1588 wrote to memory of 4528	1588	WScript.exe	125
PID 1588 wrote to memory of 4528	1588	WScript.exe	125
PID 4528 wrote to memory of 2056	4528	dwm.exe	126
PID 4528 wrote to memory of 2056	4528	dwm.exe	126
PID 4528 wrote to memory of 1236	4528	dwm.exe	127
PID 4528 wrote to memory of 1236	4528	dwm.exe	127
PID 2056 wrote to memory of 1872	2056	WScript.exe	131
PID 2056 wrote to memory of 1872	2056	WScript.exe	131
PID 1872 wrote to memory of 3600	1872	dwm.exe	132
PID 1872 wrote to memory of 3600	1872	dwm.exe	132
PID 1872 wrote to memory of 4892	1872	dwm.exe	133
PID 1872 wrote to memory of 4892	1872	dwm.exe	133
PID 3600 wrote to memory of 4212	3600	WScript.exe	134
PID 3600 wrote to memory of 4212	3600	WScript.exe	134
PID 4212 wrote to memory of 3564	4212	dwm.exe	135
PID 4212 wrote to memory of 3564	4212	dwm.exe	135
PID 4212 wrote to memory of 4048	4212	dwm.exe	136
PID 4212 wrote to memory of 4048	4212	dwm.exe	136
PID 3564 wrote to memory of 888	3564	WScript.exe	137
PID 3564 wrote to memory of 888	3564	WScript.exe	137
PID 888 wrote to memory of 4292	888	dwm.exe	138
PID 888 wrote to memory of 4292	888	dwm.exe	138
PID 888 wrote to memory of 3932	888	dwm.exe	139
PID 888 wrote to memory of 3932	888	dwm.exe	139
PID 4292 wrote to memory of 2212	4292	WScript.exe	140
PID 4292 wrote to memory of 2212	4292	WScript.exe	140
PID 2212 wrote to memory of 5000	2212	dwm.exe	141
PID 2212 wrote to memory of 5000	2212	dwm.exe	141
PID 2212 wrote to memory of 1748	2212	dwm.exe	142
PID 2212 wrote to memory of 1748	2212	dwm.exe	142
PID 5000 wrote to memory of 548	5000	WScript.exe	144
PID 5000 wrote to memory of 548	5000	WScript.exe	144
PID 548 wrote to memory of 1720	548	dwm.exe	145
PID 548 wrote to memory of 1720	548	dwm.exe	145

System policy modification 1 TTPs 54 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
"C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msvcp110_win\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NgcCtnrSvc\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\CloudExperienceHostCommon\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqpaqZ34Ag.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4684
- - C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
    "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1936
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc95f715-f81d-4d82-86f5-d5c11605c12b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2836
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4faf994b-cc91-45ed-9912-93422d48df45.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3cf0525-7cc6-4ddc-9cb7-4d2360e6cf66.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660151f0-a465-4901-a023-838042d57db4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3374b303-4371-479a-90e6-50f00adedcb6.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5506b28c-e30e-42ca-a8e4-89bc02534e2c.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c828d929-9858-4aa7-9759-9754c1437642.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bee50ccb-a9d3-40d9-a759-573b3c7eb27d.vbs"
        18⤵
        
        PID:1720
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da9621c-7b4e-40d3-9e03-a6e512a7c167.vbs"
        20⤵
        
        PID:4948
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\640c511c-0255-4c53-9161-915e7725325d.vbs"
        22⤵
        
        PID:1824
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4da839-80a2-4767-b4cf-b1c4f58d86fe.vbs"
        24⤵
        
        PID:2208
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366424c1-bba5-4f99-947a-7844cd0fb3bb.vbs"
        26⤵
        
        PID:3864
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c483c6b-a47e-46f9-91c2-3b1f72ca3f03.vbs"
        28⤵
        
        PID:3636
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d1e7a2f-ea1a-4e41-a7c6-116233d2d549.vbs"
        30⤵
        
        PID:2528
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86cbd204-ed22-48a4-a8b6-5b0d4b2c0396.vbs"
        32⤵
        
        PID:4276
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93ff77c-cde7-4daf-8162-0b506cef2c14.vbs"
        34⤵
        
        PID:4376
        
        C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe"
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bf66b83-c1c3-42a5-b2f6-ef49d3cd4836.vbs"
        36⤵
        
        PID:4484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414ec261-f996-4b9a-abdd-c13d2d4da830.vbs"
        36⤵
        
        PID:4436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561a0cfa-2574-4f5b-b4dc-0d83af7882e6.vbs"
        34⤵
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f3eab5-c79f-4bea-86ba-736aea684380.vbs"
        32⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88877501-1f75-45b9-8d94-e625da803e76.vbs"
        30⤵
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e632096c-1c60-4862-aae0-09a4498c3fcd.vbs"
        28⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87c90144-e47a-458b-b39f-cef01054aa56.vbs"
        26⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6539b4b0-2e58-4839-9bde-27c674e53c5c.vbs"
        24⤵
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0255eee-ad46-487e-bba8-24dd226cb332.vbs"
        22⤵
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d760ee0-7344-4893-a4a0-3f62d0ec069a.vbs"
        20⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d914fd5-689d-463e-acdf-fd7beb572be7.vbs"
        18⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd7ef189-b7ab-48b5-a4c2-70f4dcf0c030.vbs"
        16⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad2cd9e3-c93e-4e67-a621-4ac6ba929a8f.vbs"
        14⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43704f4c-38f8-4f60-a13e-e9ba946f8eb8.vbs"
        12⤵
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08ff6079-eb86-4e2f-abc5-04af0a152d37.vbs"
        10⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b404972f-029d-427e-bd26-b22be1f4ef68.vbs"
        8⤵
        
        PID:1236
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ff6631d-53f0-4c8e-ad78-21a1035a6c25.vbs"
        6⤵
        
        PID:3004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f093b3aa-95f1-483b-af09-abd28d29d1a2.vbs"
      4⤵
      PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Documents and Settings\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\msvcp110_win\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\NgcCtnrSvc\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\CloudExperienceHostCommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe

Filesize
1.5MB

MD5
aaeaa6b29411884b84d3d0b68b321ced

SHA1
02861d882c97c687fe758c9af113f21e8c5c5d46

SHA256
9e7e6c6b2e44e6a86842de11f2ecf6057c85ca62f07337284eac45552221c45f

SHA512
bfc3c87ca03c8e60b98aa8108c7e9bd42a369992de7ea6554f0e0a24b8c394bf29a1a638a5db2d313ec7c7d7d2a80a2a5d341213abc87ca8d3029e7b2f8a40f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10e1e59d15f6b14308cb9f5601ad98f621a10bfe.exe

Filesize
1.5MB

MD5
fce9d4e93262ede30849aacc32d3c332

SHA1
b40d5ed4e1c96a4f58415b3bd753e3bcc9029336

SHA256
8b2e6dc70ec2dd557a9a7c4ed3b3b467e683504164bb52d041fe0c4127e0974d

SHA512
8a6d2df5ea23114c9d5e5209df14e6a33a2f7ee47d9ed31d683fe9467dac3e1805ce0d056f024f7664a05e938f7a1c5a57532e1044fb2f159dadd8b2c560de54

Download Submit
C:\Users\Admin\AppData\Local\Temp\3374b303-4371-479a-90e6-50f00adedcb6.vbs

Filesize
730B

MD5
c6c08aaafd7dff1ab520abd6af39c0b0

SHA1
c521d2ccfc481d6e0e2a78edf22fb709af4fda6c

SHA256
cd1743ddf804ba19a1ca62f8604eb05584949f15b7f66b6f8184888e4fa3612e

SHA512
5db81b4a944965f9336aa2aff918d08dc8721f578bd1e74f8b6480a9399f0138efe406008cdacc6675c96958551941be919be8a7fb6fe047ef91c786d752c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\366424c1-bba5-4f99-947a-7844cd0fb3bb.vbs

Filesize
729B

MD5
22e91d5418e403753319a59ed9efcced

SHA1
8f488eaafe126479015a92b134b049eefad626da

SHA256
600edd952cc52ce4900da5626bee4c3d332b81bf07eb9786169643f6a50965f5

SHA512
0819bd0e8e7711465df7b62c9faedfdae43ce2a4a8aa16c517f4ad21e2a95d30b09249dc7d590c35beaa84aef07793efe1f8d878e8601d4bb957773a14067766

Download Submit
C:\Users\Admin\AppData\Local\Temp\3da9621c-7b4e-40d3-9e03-a6e512a7c167.vbs

Filesize
730B

MD5
9dbfe6930cc0e6aae40d22e536537eaf

SHA1
86f1fa8e924ae5b5158ee93c9047aaf9064d4d3d

SHA256
779f8f87301b885b05fa99795505ef560072cc5d1117065f71b8e59a49e4f80c

SHA512
c384971433f4d93656456815bca402554f71dd499ef12b4eeb4485b5cdf4548408b0a2b9021a4755f0f54aa210674d012e9b091a86db57511c63596752e91f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4faf994b-cc91-45ed-9912-93422d48df45.vbs

Filesize
730B

MD5
6ca680f7c8c6b382dd7338d577904e81

SHA1
b91b58a96a0068d9b9d809545c8d0e357571d9d4

SHA256
e4262b6b9258fbfc40ac5680d2f17dfaa1297b7c622ea00bdb89734ad1477b35

SHA512
08d3041bb02a87125b154e1819ffd0e4eea4a2a70d2c0cb64cfd0472c30f0b1d9e11f2cb7d207a732be65500b31c9f85f1819f58a0eb345727887205a58c3ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5506b28c-e30e-42ca-a8e4-89bc02534e2c.vbs

Filesize
729B

MD5
47ffa331ee09a6a1ab7ea7d170a985a0

SHA1
60b2fa15672488030996384bb6879691785bb89b

SHA256
99b783830f1b2b9578c9c5b136706912f25ba641efde4f8fa4eb1289c1553e87

SHA512
d22002f4fa2ff754486afa4fa7775db4e5f55b0360f8b805446166390f5467223628943f4d2224a3d224b6e84ff2deba6861c8c433d7c9a02030d5f56c039fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\640c511c-0255-4c53-9161-915e7725325d.vbs

Filesize
730B

MD5
b290be22a80de40f6559c7e831aec3c7

SHA1
4c6995697f17939e242de93b5d43773cd3ccfd66

SHA256
b237afd7433e7040e6814d80626875ce8ce8d76b2680b419473467ec62c44884

SHA512
f1164de9301b491b4d56b8736014ef1a4e477ee267bf6b110b5f5d0160cabe946fae072918fac3760cdf23030b85f0af82484fe07480ef17be2a17d0f196482f

Download Submit
C:\Users\Admin\AppData\Local\Temp\660151f0-a465-4901-a023-838042d57db4.vbs

Filesize
730B

MD5
547a1c7012afa24be93ccde6790136d4

SHA1
ee9df7e2b618cacf9344be26379daca1a2d77a85

SHA256
129c7baf64dc227fa10902e26e566c88d65e799dddad56d1c0c2f3123a541ab3

SHA512
5d7573d5379d9a0cd6d6393c3f92c9973b47d8b2b6d315bbe9b65fa7298a7edffea1b828daeb34b0d38d6420e4ebcc1ec8b9561d8c6896bdff62ff869ddf2e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d1e7a2f-ea1a-4e41-a7c6-116233d2d549.vbs

Filesize
730B

MD5
6f0e295ea57456ce847c81c4bbb09d17

SHA1
c50cc17fdf9d24fea27be58a8cdd17b5b4c9e9ac

SHA256
0f4e8bbe0ff7679c4d5f285875a31fae367dcf546e423050f22799062a4c0f58

SHA512
4f978bfab8752401d0a61a66f9a58b4827fb51900e162376a38dff1fb6354c52fe71e5ccaa1ae80c07007b1a6b27736c5e118f7f1ef699c07166bf9f3acb024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c483c6b-a47e-46f9-91c2-3b1f72ca3f03.vbs

Filesize
730B

MD5
f1ebab220a99ee815562ff74c5e55228

SHA1
a9daad1ad5b3e751c567d33ef494a925466ec3b5

SHA256
8e669e299c6993c8bd4baa820be8224a30864c0911254d8631f220264b65e963

SHA512
2fb0cdaa578f5ae62cf0ec0cddff5a981748e5c08803d76023d02c7b673cf9e7bfa788722dd6ba0da47bb8ed58d7cfd26cefb0ceb9ab37cd6004ebf72fef37d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqpaqZ34Ag.bat

Filesize
218B

MD5
4413f3807c8c717a3882abe50f85f65e

SHA1
4b7d70e2d6ce6bfc41f91f645715cd6006912be7

SHA256
026b0bb134d4a516d7471d169d5e6f84e1c311ea42e302cd8c068a3c363f486c

SHA512
d3edce4f8c3a1f05d9deab2cd32df96e77b7279ef576c36eb663e8f8c05e16f93d8cb075d579db88fe5a1c720b12f0a5e64831cc24b3f0c8b71a19425a25093d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbh5lzwf.v2b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bee50ccb-a9d3-40d9-a759-573b3c7eb27d.vbs

Filesize
729B

MD5
19e58fd7be1fb43b07e2e2908618948e

SHA1
7d50a7090f2d9dba1e19112360e83def05ea2973

SHA256
ca7199ef770d3603b53817417a80f1a695d21819e2871c313c27ca0941aff74e

SHA512
9bb935986240a96b8693a0af3d9ee078030839017bb7199f0f873fd4c02dd1dbba48f3a0820c934a5670c8769bab80fc784b6dd8f73f79ccb4f11b6d2d25d8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\c828d929-9858-4aa7-9759-9754c1437642.vbs

Filesize
730B

MD5
4270fbf6b4776f6e1224d893bc59ef74

SHA1
71b9b7f24b2f00e87fafbf2c9c54bba1079adfe7

SHA256
393815300b987eb84676d5ce3df568fd106b938e2f4d247f8ab4c009d3e15c19

SHA512
fd3fa7af827b35c14be7494d011ea1d7628bba882359e082112d5d397c594655661f4adf8ea89d5869f3b73e1496e50b36ce03232516c6f6beb0f89d6abaf590

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc95f715-f81d-4d82-86f5-d5c11605c12b.vbs

Filesize
730B

MD5
394ceb29a2a684bf18e7de47ba8a43e9

SHA1
88e6c2fd609a270ad393625755c809a46e5a235a

SHA256
5a29e377c2ab0bc39f1a63f27565e51c549866be068162c6d78054f3ebca1a95

SHA512
40fa1bc5bc72ad4fbf58fc23ea00c1e39e8765ba6e7adfb436858d7d7000174379ca324f64cf0c46a8ba54da25e447d7e3ee5ddb2853c1fd3097bb7846f72013

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3cf0525-7cc6-4ddc-9cb7-4d2360e6cf66.vbs

Filesize
730B

MD5
e6411bcd84b379089f7c6fdc5763f405

SHA1
a3878cd1abbd66d78537d9f5f9ea3b39b92e0287

SHA256
741d6aaa8578c22da6230532d7c05c33e9cb0700c6e59e2392676cc48e802846

SHA512
c7a15c20d482481876613a3f7edecd1a63603f44ab8c4c731ec26aae3089aa86b8f983f6aed2eb710062f63214a1823a2e3f6e33f25c19a0f315f28ef588e785

Download Submit
C:\Users\Admin\AppData\Local\Temp\f093b3aa-95f1-483b-af09-abd28d29d1a2.vbs

Filesize
506B

MD5
21b5d1af761c2ecc23b711e7abe5ef8b

SHA1
31c8fca44ce49dbe2188c782e4a933e98f8557a0

SHA256
b5b4a52577479bffe56192b0d5319820a4dc284bf26f205b3884cc89ae734ba6

SHA512
4aa9ecc5cc7753c3202876b874127d76eaf0a513b7f0b95baaa3432bbacd3b7fb6f29b3fa171a47f36d6e88b63ecafe8f88afedfae492886f243c75aeee0dc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd4da839-80a2-4767-b4cf-b1c4f58d86fe.vbs

Filesize
730B

MD5
5c5d1f83ff43f2422f745df680e5bdb7

SHA1
0e3f329e6801c05629c741faf82857a1fec872bb

SHA256
f4b71f31059f28ece2a911e45998ba547ba43144b7854c1b2d20edc136dfa038

SHA512
4ad02c4fbb555ddeaced2450109c5725f65f563b5e8b65612bce1c64c1054dc6227c3084ce0593a13eb946989b239253cb2cad567522409a71b713fad4fcf34e

Download Submit
C:\Windows\System32\CloudExperienceHostCommon\RuntimeBroker.exe

Filesize
1.5MB

MD5
a5fab16bfd5f2f5b2beef03fc634c78b

SHA1
e2876e25315d4109734bd0ffa2e3d50db7550f5e

SHA256
26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

SHA512
a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894

Download Submit
memory/312-297-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/548-251-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/888-227-0x0000000001410000-0x0000000001422000-memory.dmp

Filesize
72KB

Download
memory/1188-338-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/1444-309-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/1872-204-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1936-167-0x0000000000740000-0x00000000008BE000-memory.dmp

Filesize
1.5MB

Download
memory/1936-179-0x000000001BF30000-0x000000001C032000-memory.dmp

Filesize
1.0MB

Download
memory/1936-168-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/2212-239-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download
memory/2808-25-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/2808-8-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2808-3-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/2808-2-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/2808-6-0x0000000002870000-0x000000000287A000-memory.dmp

Filesize
40KB

Download
memory/2808-9-0x00000000028B0000-0x00000000028BC000-memory.dmp

Filesize
48KB

Download
memory/2808-7-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/2808-93-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/2808-10-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/2808-1-0x00000000005B0000-0x000000000072E000-memory.dmp

Filesize
1.5MB

Download
memory/2808-0-0x00007FFEC7053000-0x00007FFEC7055000-memory.dmp

Filesize
8KB

Download
memory/2808-4-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/2808-24-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/2808-5-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/2808-21-0x000000001BBC0000-0x000000001BBC8000-memory.dmp

Filesize
32KB

Download
memory/2808-20-0x000000001B430000-0x000000001B43C000-memory.dmp

Filesize
48KB

Download
memory/2808-18-0x000000001B420000-0x000000001B428000-memory.dmp

Filesize
32KB

Download
memory/2808-17-0x000000001B410000-0x000000001B41C000-memory.dmp

Filesize
48KB

Download
memory/2808-11-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2808-16-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/2808-15-0x0000000002910000-0x000000000291A000-memory.dmp

Filesize
40KB

Download
memory/2808-14-0x0000000002900000-0x000000000290C000-memory.dmp

Filesize
48KB

Download
memory/2808-13-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/2808-12-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3344-84-0x0000021211DC0000-0x0000021211DE2000-memory.dmp

Filesize
136KB

Download
memory/3580-274-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/3696-346-0x0000000001020000-0x0000000001032000-memory.dmp

Filesize
72KB

Download
memory/4528-193-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download