dcrat | 50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Size

1.5MB
MD5

7b051970be6c2699829c126a8a6e63e0
SHA1

95dc9fe1223e49f02932104f79b91f38040f242a
SHA256

50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65
SHA512

f71d210e34c6cfa62de1dfe0a74ae33e91f41f4eb8b95bc169edd3b2e7f51e897dcafdcfcd5e138f337b46aefbe7ab06c29c65234a39cd2039c2cc108231f2c0
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\", \"C:\\Windows\\win\\sysmon.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\dllhost.exe\", \"C:\\Windows\\System32\\DockInterface.ProxyStub\\RuntimeBroker.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\dllhost.exe\", \"C:\\Windows\\System32\\DockInterface.ProxyStub\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4492	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4492	schtasks.exe	83

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
312	powershell.exe
428	powershell.exe
3308	powershell.exe
3648	powershell.exe
5080	powershell.exe
3024	powershell.exe
2212	powershell.exe
2388	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 12 IoCs

pid	Process
3556	RuntimeBroker.exe
3344	RuntimeBroker.exe
4392	RuntimeBroker.exe
1324	RuntimeBroker.exe
1116	RuntimeBroker.exe
2260	RuntimeBroker.exe
3816	RuntimeBroker.exe
1612	RuntimeBroker.exe
2016	RuntimeBroker.exe
4588	RuntimeBroker.exe
1104	RuntimeBroker.exe
4196	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DockInterface.ProxyStub\\RuntimeBroker.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DockInterface.ProxyStub\\RuntimeBroker.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dwm.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\services.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DockInterface.ProxyStub\RCXC104.tmp	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\System32\DockInterface.ProxyStub\9e8d7a4ca61bd9	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXBEFF.tmp	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\dllhost.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Program Files (x86)\Microsoft\dllhost.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Program Files (x86)\Microsoft\5940a34987c991	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXB855.tmp	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win\RCXBCFB.tmp	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Windows\win\sysmon.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXC309.tmp	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File opened for modification	C:\Windows\Registration\CRMLog\SppExtComObj.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\win\sysmon.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\win\121e5b5079f7c0	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\Registration\CRMLog\SppExtComObj.exe	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
File created	C:\Windows\Registration\CRMLog\e1ef82546f0b02	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2356	schtasks.exe
4032	schtasks.exe
2912	schtasks.exe
2500	schtasks.exe
2276	schtasks.exe
4612	schtasks.exe
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
3648	powershell.exe
3024	powershell.exe
2388	powershell.exe
3308	powershell.exe
428	powershell.exe
2212	powershell.exe
2212	powershell.exe
312	powershell.exe
312	powershell.exe
5080	powershell.exe
5080	powershell.exe
3308	powershell.exe
3308	powershell.exe
3648	powershell.exe
3648	powershell.exe
2388	powershell.exe
2388	powershell.exe
3024	powershell.exe
3024	powershell.exe
2212	powershell.exe
428	powershell.exe
428	powershell.exe
312	powershell.exe
5080	powershell.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe
3556	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	3556	RuntimeBroker.exe
Token: SeDebugPrivilege	3344	RuntimeBroker.exe
Token: SeDebugPrivilege	4392	RuntimeBroker.exe
Token: SeDebugPrivilege	1324	RuntimeBroker.exe
Token: SeDebugPrivilege	1116	RuntimeBroker.exe
Token: SeDebugPrivilege	2260	RuntimeBroker.exe
Token: SeDebugPrivilege	3816	RuntimeBroker.exe
Token: SeDebugPrivilege	1612	RuntimeBroker.exe
Token: SeDebugPrivilege	2016	RuntimeBroker.exe
Token: SeDebugPrivilege	4588	RuntimeBroker.exe
Token: SeDebugPrivilege	1104	RuntimeBroker.exe
Token: SeDebugPrivilege	4196	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3648	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	92
PID 4512 wrote to memory of 3648	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	92
PID 4512 wrote to memory of 5080	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	93
PID 4512 wrote to memory of 5080	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	93
PID 4512 wrote to memory of 428	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	94
PID 4512 wrote to memory of 428	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	94
PID 4512 wrote to memory of 2388	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	95
PID 4512 wrote to memory of 2388	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	95
PID 4512 wrote to memory of 3024	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	96
PID 4512 wrote to memory of 3024	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	96
PID 4512 wrote to memory of 2212	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	97
PID 4512 wrote to memory of 2212	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	97
PID 4512 wrote to memory of 312	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	99
PID 4512 wrote to memory of 312	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	99
PID 4512 wrote to memory of 3308	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	100
PID 4512 wrote to memory of 3308	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	100
PID 4512 wrote to memory of 2272	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	107
PID 4512 wrote to memory of 2272	4512	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe	107
PID 2272 wrote to memory of 3084	2272	cmd.exe	110
PID 2272 wrote to memory of 3084	2272	cmd.exe	110
PID 2272 wrote to memory of 3556	2272	cmd.exe	117
PID 2272 wrote to memory of 3556	2272	cmd.exe	117
PID 3556 wrote to memory of 3404	3556	RuntimeBroker.exe	120
PID 3556 wrote to memory of 3404	3556	RuntimeBroker.exe	120
PID 3556 wrote to memory of 4020	3556	RuntimeBroker.exe	121
PID 3556 wrote to memory of 4020	3556	RuntimeBroker.exe	121
PID 3404 wrote to memory of 3344	3404	WScript.exe	125
PID 3404 wrote to memory of 3344	3404	WScript.exe	125
PID 3344 wrote to memory of 3792	3344	RuntimeBroker.exe	126
PID 3344 wrote to memory of 3792	3344	RuntimeBroker.exe	126
PID 3344 wrote to memory of 2880	3344	RuntimeBroker.exe	127
PID 3344 wrote to memory of 2880	3344	RuntimeBroker.exe	127
PID 3792 wrote to memory of 4392	3792	WScript.exe	131
PID 3792 wrote to memory of 4392	3792	WScript.exe	131
PID 4392 wrote to memory of 2592	4392	RuntimeBroker.exe	132
PID 4392 wrote to memory of 2592	4392	RuntimeBroker.exe	132
PID 4392 wrote to memory of 5080	4392	RuntimeBroker.exe	133
PID 4392 wrote to memory of 5080	4392	RuntimeBroker.exe	133
PID 2592 wrote to memory of 1324	2592	WScript.exe	134
PID 2592 wrote to memory of 1324	2592	WScript.exe	134
PID 1324 wrote to memory of 4588	1324	RuntimeBroker.exe	135
PID 1324 wrote to memory of 4588	1324	RuntimeBroker.exe	135
PID 1324 wrote to memory of 1440	1324	RuntimeBroker.exe	136
PID 1324 wrote to memory of 1440	1324	RuntimeBroker.exe	136
PID 4588 wrote to memory of 1116	4588	WScript.exe	137
PID 4588 wrote to memory of 1116	4588	WScript.exe	137
PID 1116 wrote to memory of 3288	1116	RuntimeBroker.exe	138
PID 1116 wrote to memory of 3288	1116	RuntimeBroker.exe	138
PID 1116 wrote to memory of 760	1116	RuntimeBroker.exe	139
PID 1116 wrote to memory of 760	1116	RuntimeBroker.exe	139
PID 3288 wrote to memory of 2260	3288	WScript.exe	140
PID 3288 wrote to memory of 2260	3288	WScript.exe	140
PID 2260 wrote to memory of 4368	2260	RuntimeBroker.exe	141
PID 2260 wrote to memory of 4368	2260	RuntimeBroker.exe	141
PID 2260 wrote to memory of 2496	2260	RuntimeBroker.exe	142
PID 2260 wrote to memory of 2496	2260	RuntimeBroker.exe	142
PID 4368 wrote to memory of 3816	4368	WScript.exe	143
PID 4368 wrote to memory of 3816	4368	WScript.exe	143
PID 3816 wrote to memory of 4640	3816	RuntimeBroker.exe	144
PID 3816 wrote to memory of 4640	3816	RuntimeBroker.exe	144
PID 3816 wrote to memory of 3344	3816	RuntimeBroker.exe	145
PID 3816 wrote to memory of 3344	3816	RuntimeBroker.exe	145
PID 4640 wrote to memory of 1612	4640	WScript.exe	146
PID 4640 wrote to memory of 1612	4640	WScript.exe	146

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe
"C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\win\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v67Xi2pxA7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3084
- - C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
    "C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2979c63b-0347-4bb3-b610-963d77c4e869.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3404
    - - C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\179dae95-09eb-44f9-a167-06ab5d7b7ffd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3b6c580-7285-43f3-89a4-ad26b22ace90.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0993e53f-31f7-4a8e-80cb-e92d2780e27c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79b784c-7da1-4fa9-8479-9e812752a0a7.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856bd992-609f-413c-bf6a-d877c6f5dac7.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb49bab-5770-435c-b051-166e1c32dd31.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa48eca-cda7-4c78-9cb3-0912c41415cc.vbs"
        18⤵
        
        PID:1384
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f93c5259-787a-41dd-b426-e20cbb180d9a.vbs"
        20⤵
        
        PID:1500
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ebd3ee7-9991-4d17-8f7f-49a294da8e81.vbs"
        22⤵
        
        PID:2932
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0008268-cee4-42be-8588-e3a19bd9043f.vbs"
        24⤵
        
        PID:2588
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        
        C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d93260-bf0e-4cc7-b6d4-4791443b0ad5.vbs"
        26⤵
        
        PID:4508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2052180-ffe1-415d-afb5-53b694ff2a3b.vbs"
        26⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92fb99f4-d8d7-40aa-a02e-62129ee3d796.vbs"
        24⤵
        
        PID:428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f18b12-4002-4e86-97e9-2de2959635b0.vbs"
        22⤵
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2f7dc5-4e3e-454d-8810-a271a476b3c9.vbs"
        20⤵
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\342e1df8-448b-4091-bcd0-5f187495e0bf.vbs"
        18⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0fb0af8-55b4-4689-bf42-451a6754f7ca.vbs"
        16⤵
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\750e1a48-ebba-4797-bffe-2b42d76fe247.vbs"
        14⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d84511-aa1b-4f77-b8e9-2cc67b283494.vbs"
        12⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93edd23a-8289-4d54-94ac-ef77c98a82c5.vbs"
        10⤵
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e9ab1e1-e076-4f8d-beeb-0c690d4d8037.vbs"
        8⤵
        
        PID:5080
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2dcbc3a-28e3-4785-a334-d3bf64336402.vbs"
        6⤵
        
        PID:2880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c869518b-c38f-4c36-b464-50f8ca0b6698.vbs"
      4⤵
      PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\win\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DockInterface.ProxyStub\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\dllhost.exe

Filesize
1.5MB

MD5
7b051970be6c2699829c126a8a6e63e0

SHA1
95dc9fe1223e49f02932104f79b91f38040f242a

SHA256
50dbf139d27c843aad3a248e53e3aee75b08791cf5043c074d190426481f0a65

SHA512
f71d210e34c6cfa62de1dfe0a74ae33e91f41f4eb8b95bc169edd3b2e7f51e897dcafdcfcd5e138f337b46aefbe7ab06c29c65234a39cd2039c2cc108231f2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\0993e53f-31f7-4a8e-80cb-e92d2780e27c.vbs

Filesize
737B

MD5
a11fdcdaa3d928608b2f313a3cd1a839

SHA1
0b2ec901d14c8838dc692f9baeedc275a3070597

SHA256
88e236435e06c22be4772e759bb9a7f1bd0e931a5cb288719eb5bf427eec935f

SHA512
e544addbb746dabc6ba8b491329a88cb2eee4d5d5ec7a499b002928072cf3e135477efe9559aa647f7c2f82afa0e8bee4029be7607cbe1d0503024f56f6c6fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\179dae95-09eb-44f9-a167-06ab5d7b7ffd.vbs

Filesize
737B

MD5
2584c59ff305d7f6580ff22ac3413dcf

SHA1
cb98d9339716c097d5d20e182695b81bc19e03f9

SHA256
c612c355c53898678262660d1685630f8ff59dab62f5f3c8c9ad7b2cb86c4107

SHA512
cd4a328698a922cd556073a64bd2d68a218d055c40437e24c019cf02484f0e0ce73dfd4efbc538d2748ece55767beb795957ab4d6575692ff117792399a98f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\2979c63b-0347-4bb3-b610-963d77c4e869.vbs

Filesize
737B

MD5
a68983fa9c7d25b17dea3f56156ce9c8

SHA1
ac4b43c6c57d30b02c561aa68c18e103b3c20d9f

SHA256
ea0edddf6040d0cefda9d8b47a5b1351c35ef31b0b9a852b0153b029719387af

SHA512
7171583ed0add9a2b66a6e3c8114924e1d39661e5038c204e8dece95c05ce5cc3cca63e0e4faa3e06463f517a9005a9b02a07683de87f64b9871fda9f4693d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ebd3ee7-9991-4d17-8f7f-49a294da8e81.vbs

Filesize
737B

MD5
a3c88d0319eeceed102d69463171f11d

SHA1
01476d6f38115f3db701dfb74b18cf0861e7648f

SHA256
1073728f28718079b64b72dd99fea63298a9d728e45008809a18dc7e435cad4e

SHA512
30e2cec7ae324fe8b3e1995d5a1743c1473708e22f750602f0a4fbfcc7a2ede30a32c5596c333a7109edd4935d431717b764527c76d265af7562bb3c95e5b134

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb49bab-5770-435c-b051-166e1c32dd31.vbs

Filesize
737B

MD5
88cede45baa38981031bef213c0458f2

SHA1
96a9fa85de4cfa8cf0ab9bcfd0072d383e8c0c69

SHA256
1c8a07a2c8e3845de3444b8cf9f62d33a665f3a1af63a268375e1b21783c460f

SHA512
af9fccc82440bf80e14c1845476526fd3beb5035eff29a7e4bc3b3accb74498e7570eab88a5ab947f09c021879642ce4332bf1afd1c52f3921ce5603f62ee3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\856bd992-609f-413c-bf6a-d877c6f5dac7.vbs

Filesize
737B

MD5
7dd75893157c99688d45f881a4ec640e

SHA1
e64bf50aa480e6941b76b0fe6452a43c7840a6a8

SHA256
f7a9a3bbd715b507e427772039903bc39e4234ea84dbdede1f3ba48897fc1803

SHA512
af947e2ef9b0395e8e8b6b614b0adecfea48d1b34192b92924a72cc7a922ce81ed64cfff76bd2ef507326540777b8268c84280f4b32307b5314790a22d63af1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vq50eopd.geu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1d93260-bf0e-4cc7-b6d4-4791443b0ad5.vbs

Filesize
737B

MD5
4eb28c3e0f7c871735ae00c48219f8a0

SHA1
5e76310ef02e941217a25a49d129c7b7b5f89e95

SHA256
7fc50e9c92f7a2d234facb734e2fc09961a13241fa9b6a8d3040adbda2dcbe4e

SHA512
f40848c2daf4bfc2611d8b22753b68a59f82c79fa6afe1545cab8747ecc72a346e5501d396d76a493e1c94a74c38931d4787169879fbc47e25a7dba732a5df06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3b6c580-7285-43f3-89a4-ad26b22ace90.vbs

Filesize
737B

MD5
c1fa227a4d6eb0b07418d351cbdca908

SHA1
8f5f2979a74d38d1b362af7baabc9d706584835a

SHA256
7e713356b565f7cb221588f72b691602f3bb6cb2daca34c7acdfac6ae29744d8

SHA512
f04b0a0f3139b16e6af0f69da004508bdc1a8c1c327d28b4457029b3d0223399a463d2aa457779788d85aa73332cb215f99392a0d8a00f450dd53db5b5053202

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0008268-cee4-42be-8588-e3a19bd9043f.vbs

Filesize
737B

MD5
3efdd7f470a03e1ebbd68fada77485d4

SHA1
06d489d12cf35153b21f45d073b9c081e132a5ea

SHA256
8769f7f91c805ceee7e59a267fa434350c7860e7cb7cf18022b6cd7a23504ab8

SHA512
15ddc0a4b1db2af18e3d5f58e024a3a39af4f62e65c21312983ced71bb56e614496fb9058bd77c8eaf7a9ef8e6021bb853baccbc93391d6464243621c6b1b0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c79b784c-7da1-4fa9-8479-9e812752a0a7.vbs

Filesize
737B

MD5
4af6c5b3389e06ab7a5bbbbb08723042

SHA1
facfef3c0b2da4eaabe338a16c1f737f2f298c1c

SHA256
020cff9c2e3ed6e8435b672017776f4bd64203eb73b781918d7531435bc460ce

SHA512
abed9beaa06f193d512485c84f9db895da91e2028479b16be578e7cba3c90d8d6d3e142ade7ddf5e93930fc157c245b225f4b192ff2c1e84735d7b87d3140b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c869518b-c38f-4c36-b464-50f8ca0b6698.vbs

Filesize
513B

MD5
d54acbfe286b980d0bab54ff483c1ead

SHA1
8d37798cddf9139b55dcc05a3194958c04351d63

SHA256
95050317b008e4ad94b13b8db885bd0f8749441fa79822f7c46a3ccaea818f30

SHA512
14f787f75505d6b3332dbc271b61c9a25e3688e16f93e773d63ac9403e2f026da9a1ff5fb2394ef5491862727b49f0a3781ae85188aea9fb098f71541fe13ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa48eca-cda7-4c78-9cb3-0912c41415cc.vbs

Filesize
737B

MD5
f601be450d605e3b8df680501ca29809

SHA1
c41352389c799381a772ea878d0855fca05c2688

SHA256
d26dbbf738957e2b35f83cd5debfebe6f7ff7821049f08f1c7428f443f91b150

SHA512
338390a17beffeb7cc08dbe14f6669c4bf2d019dfff142a563243ab53c38bcce25c104ca8a5eb2ab8bea581148b17710104698a76243ee8110b4f872802c9715

Download Submit
C:\Users\Admin\AppData\Local\Temp\f93c5259-787a-41dd-b426-e20cbb180d9a.vbs

Filesize
737B

MD5
22b0e26bae6b779e853507f1387dbeb4

SHA1
92a07c82d67b9752598f140e8fb29d477e9e6d6d

SHA256
a1aa8bb6be017c40b8a8632ef72fb9940b46a71aa4716b523b3b196f094953d0

SHA512
5a715463ef39cb1ca7fb32f014fefb59aa106b30bffe3881edd94f9bf1fecc2befa24794ac895096cc8e87b3e7a27e313d42aeafa65ef91377d0cd4b63abadd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\v67Xi2pxA7.bat

Filesize
225B

MD5
3e23612ffe679a2827d7d057d712fc99

SHA1
0ada83dad76184afc3075f117cff3335aec9b80b

SHA256
095e71755d6a455e662f789f5e402ff856bf3da4e232662e135bdac98d54f446

SHA512
5d8c5d8638b749e2c4ab5c86c00ec632fc92b8db1cc5724286aa7f08c1d3785dde988cef20b025fa7f4bf9751a4713e32b64f6e95fa58b39cdb293db8aa8b2c9

Download Submit
memory/1116-234-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2260-246-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/2388-114-0x000001E43EBB0000-0x000001E43EBD2000-memory.dmp

Filesize
136KB

Download
memory/3556-188-0x000000001BF10000-0x000000001BF22000-memory.dmp

Filesize
72KB

Download
memory/4512-95-0x00007FFF759D0000-0x00007FFF76491000-memory.dmp

Filesize
10.8MB

Download
memory/4512-5-0x0000000002620000-0x000000000262C000-memory.dmp

Filesize
48KB

Download
memory/4512-12-0x000000001B700000-0x000000001B708000-memory.dmp

Filesize
32KB

Download
memory/4512-11-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/4512-8-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

Filesize
32KB

Download
memory/4512-9-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/4512-10-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/4512-0-0x00007FFF759D3000-0x00007FFF759D5000-memory.dmp

Filesize
8KB

Download
memory/4512-6-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/4512-15-0x000000001B730000-0x000000001B73A000-memory.dmp

Filesize
40KB

Download
memory/4512-7-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/4512-13-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/4512-14-0x000000001B720000-0x000000001B72C000-memory.dmp

Filesize
48KB

Download
memory/4512-4-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4512-25-0x00007FFF759D0000-0x00007FFF76491000-memory.dmp

Filesize
10.8MB

Download
memory/4512-24-0x00007FFF759D0000-0x00007FFF76491000-memory.dmp

Filesize
10.8MB

Download
memory/4512-21-0x000000001B800000-0x000000001B808000-memory.dmp

Filesize
32KB

Download
memory/4512-3-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/4512-2-0x00007FFF759D0000-0x00007FFF76491000-memory.dmp

Filesize
10.8MB

Download
memory/4512-20-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/4512-18-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/4512-1-0x00000000002F0000-0x000000000046E000-memory.dmp

Filesize
1.5MB

Download
memory/4512-17-0x000000001B750000-0x000000001B75C000-memory.dmp

Filesize
48KB

Download
memory/4512-16-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download