dcrat | 0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911

Resubmissions

13-01-2025 04:05

250113-enzvbaxner 10

12-01-2025 14:56

250112-sa1fkszjhp 10

Analysis

max time kernel
717s
max time network
705s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabf40b2ed8d96638f713f6373ef64cb.exe
Size

2.5MB
MD5

dabf40b2ed8d96638f713f6373ef64cb
SHA1

4c9479e54b394722bdaeff1b36d903502cd1b1fe
SHA256

0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
SHA512

0a9abca78917efea2b77dcccf862761e99001a26bba3de871c233b07500c7e414e32ebd41f93e23b332696db1d56aaa9e8357e60ac32efbf06c13bf40abf1fd0
SSDEEP

49152:UbA30QsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifV:UbcLlK6d3/Nh/bV/Oq3Dxp2RUGV

Score

10^/10

dcrat discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Default\\smss.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Default\\smss.exe\", \"C:\\Users\\Default User\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Default\\smss.exe\", \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Serverbroker.exe\", \"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\""	Serverbroker.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3816	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3816	schtasks.exe	88

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c6d-10.dat	dcrat
behavioral2/memory/1948-13-0x0000000000700000-0x000000000092E000-memory.dmp	dcrat
behavioral2/files/0x000c000000023c88-93.dat	dcrat
behavioral2/files/0x0007000000023c8c-218.dat	dcrat
behavioral2/files/0x0008000000023c73-302.dat	dcrat
behavioral2/memory/2628-306-0x0000000000750000-0x000000000097E000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c86-345.dat	dcrat
behavioral2/memory/1184-347-0x0000000000FA0000-0x00000000011CE000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Serverbroker.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dabf40b2ed8d96638f713f6373ef64cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Serverbroker.exe

Executes dropped EXE 20 IoCs

pid	Process
1948	Serverbroker.exe
4820	Serverbroker.exe
2360	Serverbroker.exe
4300	Serverbroker.exe
840	Serverbroker.exe
4840	Serverbroker.exe
2184	Serverbroker.exe
1688	Serverbroker.exe
564	Serverbroker.exe
4992	Serverbroker.exe
2628	winlogon.exe
4128	RuntimeBroker.exe
3352	Serverbroker.exe
4748	Serverbroker.exe
1872	Serverbroker.exe
5004	Serverbroker.exe
1184	smss.exe
836	Serverbroker.exe
2016	sppsvc.exe
1624	Serverbroker.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverbroker = "\"C:\\Users\\Default User\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverbroker = "\"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\smss.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\smss.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverbroker = "\"C:\\Users\\Default User\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverbroker = "\"C:\\Windows\\Migration\\WTR\\Serverbroker.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Mssurrogatebrowserhostperf\\winlogon.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\sppsvc.exe\""	Serverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	Serverbroker.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe	Serverbroker.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\0a1fd5f707cd16	Serverbroker.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD799.tmp	Serverbroker.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD79A.tmp	Serverbroker.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe	Serverbroker.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\Serverbroker.exe	Serverbroker.exe
File created	C:\Windows\Migration\WTR\d6ea2b4d01a4d6	Serverbroker.exe
File opened for modification	C:\Windows\Migration\WTR\RCXD9AF.tmp	Serverbroker.exe
File opened for modification	C:\Windows\Migration\WTR\RCXD9B0.tmp	Serverbroker.exe
File opened for modification	C:\Windows\Migration\WTR\Serverbroker.exe	Serverbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dabf40b2ed8d96638f713f6373ef64cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dabf40b2ed8d96638f713f6373ef64cb.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Serverbroker.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3284	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
600	schtasks.exe
4304	schtasks.exe
1860	schtasks.exe
3936	schtasks.exe
2652	schtasks.exe
4396	schtasks.exe
2872	schtasks.exe
4804	schtasks.exe
1900	schtasks.exe
1832	schtasks.exe
3560	schtasks.exe
1728	schtasks.exe
3484	schtasks.exe
3228	schtasks.exe
4300	schtasks.exe
2224	schtasks.exe
2336	schtasks.exe
2500	schtasks.exe
1616	schtasks.exe
932	schtasks.exe
2548	schtasks.exe
5004	schtasks.exe
424	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
1948	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe
4820	Serverbroker.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Serverbroker.exe
Token: SeDebugPrivilege	4820	Serverbroker.exe
Token: SeDebugPrivilege	2360	Serverbroker.exe
Token: SeDebugPrivilege	4300	Serverbroker.exe
Token: SeDebugPrivilege	840	Serverbroker.exe
Token: SeDebugPrivilege	4840	Serverbroker.exe
Token: SeDebugPrivilege	2184	Serverbroker.exe
Token: SeDebugPrivilege	1688	Serverbroker.exe
Token: SeDebugPrivilege	564	Serverbroker.exe
Token: SeDebugPrivilege	4992	Serverbroker.exe
Token: SeDebugPrivilege	2628	winlogon.exe
Token: SeDebugPrivilege	4128	RuntimeBroker.exe
Token: SeDebugPrivilege	3352	Serverbroker.exe
Token: SeDebugPrivilege	4748	Serverbroker.exe
Token: SeDebugPrivilege	1872	Serverbroker.exe
Token: SeDebugPrivilege	5004	Serverbroker.exe
Token: SeDebugPrivilege	1184	smss.exe
Token: SeDebugPrivilege	836	Serverbroker.exe
Token: SeDebugPrivilege	2016	sppsvc.exe
Token: SeDebugPrivilege	1624	Serverbroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4820	2404	dabf40b2ed8d96638f713f6373ef64cb.exe	83
PID 2404 wrote to memory of 4820	2404	dabf40b2ed8d96638f713f6373ef64cb.exe	83
PID 2404 wrote to memory of 4820	2404	dabf40b2ed8d96638f713f6373ef64cb.exe	83
PID 4820 wrote to memory of 4424	4820	WScript.exe	85
PID 4820 wrote to memory of 4424	4820	WScript.exe	85
PID 4820 wrote to memory of 4424	4820	WScript.exe	85
PID 4424 wrote to memory of 1948	4424	cmd.exe	87
PID 4424 wrote to memory of 1948	4424	cmd.exe	87
PID 1948 wrote to memory of 4820	1948	Serverbroker.exe	119
PID 1948 wrote to memory of 4820	1948	Serverbroker.exe	119
PID 4424 wrote to memory of 3284	4424	cmd.exe	120
PID 4424 wrote to memory of 3284	4424	cmd.exe	120
PID 4424 wrote to memory of 3284	4424	cmd.exe	120
PID 4820 wrote to memory of 4756	4820	Serverbroker.exe	122
PID 4820 wrote to memory of 4756	4820	Serverbroker.exe	122
PID 4820 wrote to memory of 3504	4820	Serverbroker.exe	123
PID 4820 wrote to memory of 3504	4820	Serverbroker.exe	123
PID 4756 wrote to memory of 2360	4756	WScript.exe	135
PID 4756 wrote to memory of 2360	4756	WScript.exe	135
PID 2360 wrote to memory of 4044	2360	Serverbroker.exe	137
PID 2360 wrote to memory of 4044	2360	Serverbroker.exe	137
PID 2360 wrote to memory of 4456	2360	Serverbroker.exe	138
PID 2360 wrote to memory of 4456	2360	Serverbroker.exe	138
PID 4044 wrote to memory of 4300	4044	WScript.exe	141
PID 4044 wrote to memory of 4300	4044	WScript.exe	141
PID 4300 wrote to memory of 4700	4300	Serverbroker.exe	143
PID 4300 wrote to memory of 4700	4300	Serverbroker.exe	143
PID 4300 wrote to memory of 4544	4300	Serverbroker.exe	144
PID 4300 wrote to memory of 4544	4300	Serverbroker.exe	144
PID 4700 wrote to memory of 840	4700	WScript.exe	146
PID 4700 wrote to memory of 840	4700	WScript.exe	146
PID 840 wrote to memory of 2248	840	Serverbroker.exe	148
PID 840 wrote to memory of 2248	840	Serverbroker.exe	148
PID 840 wrote to memory of 2444	840	Serverbroker.exe	149
PID 840 wrote to memory of 2444	840	Serverbroker.exe	149
PID 2248 wrote to memory of 4840	2248	WScript.exe	151
PID 2248 wrote to memory of 4840	2248	WScript.exe	151
PID 4840 wrote to memory of 2428	4840	Serverbroker.exe	154
PID 4840 wrote to memory of 2428	4840	Serverbroker.exe	154
PID 4840 wrote to memory of 940	4840	Serverbroker.exe	155
PID 4840 wrote to memory of 940	4840	Serverbroker.exe	155
PID 2428 wrote to memory of 2184	2428	WScript.exe	157
PID 2428 wrote to memory of 2184	2428	WScript.exe	157
PID 2184 wrote to memory of 3656	2184	Serverbroker.exe	159
PID 2184 wrote to memory of 3656	2184	Serverbroker.exe	159
PID 2184 wrote to memory of 4592	2184	Serverbroker.exe	160
PID 2184 wrote to memory of 4592	2184	Serverbroker.exe	160
PID 3656 wrote to memory of 1688	3656	WScript.exe	162
PID 3656 wrote to memory of 1688	3656	WScript.exe	162
PID 1688 wrote to memory of 1832	1688	Serverbroker.exe	164
PID 1688 wrote to memory of 1832	1688	Serverbroker.exe	164
PID 1688 wrote to memory of 1204	1688	Serverbroker.exe	165
PID 1688 wrote to memory of 1204	1688	Serverbroker.exe	165
PID 1832 wrote to memory of 564	1832	WScript.exe	167
PID 1832 wrote to memory of 564	1832	WScript.exe	167
PID 564 wrote to memory of 4396	564	Serverbroker.exe	169
PID 564 wrote to memory of 4396	564	Serverbroker.exe	169
PID 564 wrote to memory of 4552	564	Serverbroker.exe	170
PID 564 wrote to memory of 4552	564	Serverbroker.exe	170
PID 4396 wrote to memory of 4992	4396	WScript.exe	172
PID 4396 wrote to memory of 4992	4396	WScript.exe	172
PID 4992 wrote to memory of 4736	4992	Serverbroker.exe	174
PID 4992 wrote to memory of 4736	4992	Serverbroker.exe	174
PID 4992 wrote to memory of 4828	4992	Serverbroker.exe	175

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Serverbroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Serverbroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe
C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Mssurrogatebrowserhostperf\Serverbroker.exe
      "C:\Mssurrogatebrowserhostperf\Serverbroker.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1948
    - - C:\Windows\Migration\WTR\Serverbroker.exe
        
        "C:\Windows\Migration\WTR\Serverbroker.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f499d4f-87aa-4831-8b7a-3601f6d2dd73.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caa7e7bc-4e70-412e-af1e-7038c6ea12e2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6d3e5ef-78d9-4705-a819-f72bc5fa8790.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac06b0b0-40eb-49d9-9192-af04d081ac44.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4076f481-40bf-4120-bb04-6f4ceeb45ad5.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\169c1ca7-977e-4c4a-9e46-516986a90605.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156c6e29-c66c-4ec9-8b21-f75bfc306ac2.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56219707-fd03-44be-b64c-bf30b1036c31.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b141de51-1de5-423d-991e-7d37896eaf45.vbs"
        22⤵
        
        PID:4736
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3e074b-a3ec-41e5-a5ae-0b352c30a68a.vbs"
        24⤵
        
        PID:4160
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6919bc9e-3e97-4fed-ad72-ec43eeb5e746.vbs"
        26⤵
        
        PID:4140
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f8dea70-4c1f-49fc-9d4c-382c19adf740.vbs"
        28⤵
        
        PID:3312
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\646b579e-a345-4e42-a5ba-a9b8a0f3d478.vbs"
        30⤵
        
        PID:2952
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        
        C:\Windows\Migration\WTR\Serverbroker.exe
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62557318-52d6-4fe0-86a7-8513000e41ca.vbs"
        30⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d0c3104-b1ce-45d4-aa28-1deb6559278a.vbs"
        28⤵
        
        PID:4676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da13f697-4fbf-4d2b-a6e9-98525a6878a9.vbs"
        26⤵
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a51afd-347d-42e6-8b02-731bf91c71c0.vbs"
        24⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dec454e0-0849-4755-8a05-5fee7be73a51.vbs"
        22⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e39b9d7-7b1c-434b-8001-85f04a260f59.vbs"
        20⤵
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e9f9f7-77f9-4d4e-91b6-e55aa94d45cb.vbs"
        18⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd54c367-d576-48a5-b022-b5d0dfdaa4e7.vbs"
        16⤵
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a4af9c-e880-4072-8094-35d5b294f6bd.vbs"
        14⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe175c8-92f1-472e-9dd4-a20713dd115d.vbs"
        12⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f4afb7f-a43d-43f5-b7b3-ab73698d9fb5.vbs"
        10⤵
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608726bb-6d8b-42cf-9c54-79b2f72561d9.vbs"
        8⤵
        
        PID:4456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d270abae-c61d-42be-9e09-8c1a79ec09de.vbs"
        6⤵
        
        PID:3504
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Serverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverbroker" /sc ONLOGON /tr "'C:\Users\Default User\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Mssurrogatebrowserhostperf\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Mssurrogatebrowserhostperf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Mssurrogatebrowserhostperf\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\Serverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverbroker" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Serverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Serverbroker" /sc ONLOGON /tr "'C:\Users\Default User\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerbrokerS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Serverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Mssurrogatebrowserhostperf\winlogon.exe
C:\Mssurrogatebrowserhostperf\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Users\Default\RuntimeBroker.exe
C:\Users\Default\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Users\Default User\Serverbroker.exe
"C:\Users\Default User\Serverbroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Recovery\WindowsRE\smss.exe
C:\Recovery\WindowsRE\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe
"C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe

Filesize
216B

MD5
a7e0475eb8e2e26e457a4c752dc26444

SHA1
060c460c794a47f44686b717eb8d15f1945edb58

SHA256
8ece9e304ffb5cba5d51cb2187907d4910167fca5f67a59d316fd9d2ce47ae52

SHA512
9d7cac7d9fd93e3b88c1ea7663af7687ae08e8ee39dcc1549c4fb25d7342f3a9774b7f8e7c1b50ab96b09629ab4c587548a5b1063c843132277c7baa2069cad6

Download Submit
C:\Mssurrogatebrowserhostperf\Serverbroker.exe

Filesize
2.2MB

MD5
67f998093c11d8a104aef7a92a2d5b26

SHA1
cea4392bfb620e2d5b303c7f39fe68a30080a771

SHA256
f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

SHA512
e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

Download Submit
C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat

Filesize
160B

MD5
fa37ae621180833b315a091613c1540f

SHA1
88d6ec7192566b085231e6a6f05f813a8355514d

SHA256
f3f37ca346054c66639f1320cccc5b8f618ce747c5f9086bd18376a9a42a3484

SHA512
d77768e84e9e01e3e64e00914c5e8f1067796a369c71939641f052c9f9b7d17aef5c9b5e96449d610976f45e291b567c49fc374099a9284c8045ca51d51c9bd0

Download Submit
C:\Mssurrogatebrowserhostperf\winlogon.exe

Filesize
2.2MB

MD5
f329dbed600b6b8a0f3f12eea48398f0

SHA1
d8ca3cbf43b579a13204a8ad6feda175a411bb3c

SHA256
c8095b9792848ca94289f37ee73b4281a626eebf3c9d0afba2bc397902f22a6f

SHA512
bc0a99952e6e8f82e7f4e7170cf5222aa386e4ec52eefcdca5908d7a698b0315dac22f231431fa02ef6a36e0997ebe8529482173e810df41347fef41bd60ac9f

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD79A.tmp

Filesize
2.2MB

MD5
70f35d04041d9c029d59586fc6aa3819

SHA1
a9f37462584d22bad8909ffc1c047cdfee84f049

SHA256
517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6

SHA512
1739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
2.2MB

MD5
f7cafc86323a8afe10ac9772f760e073

SHA1
a081bd604c0f0ae2ede841d4a165749c791c7528

SHA256
4daed97da79eb925dabc21e35b6c232c24cf2d2a9df61e58a7d4b87aabd03fcf

SHA512
b9897d3fc7d0f293746f7d040a6fc8ec516907f409fbb733dc6a75ab9ca6de2b8b307b87e05a5accbc2313eaf7fc0a71800a646d7e081f372cca3179e4778787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Serverbroker.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Temp\156c6e29-c66c-4ec9-8b21-f75bfc306ac2.vbs

Filesize
717B

MD5
b5e74f585fe13a04c4c8925e560d27ca

SHA1
709abc4890b04cc22d0a7f7e35d0b5dfab49177b

SHA256
dbcc6a8866cbd01dc6daaf9f165c3c682dc12139c5a637af9986797ee8457414

SHA512
6fbef0a8ece534b5cf4cccc2992995851dddb39389402aeb8f3a659e6f11feb52433f1fc1df1524bee20dd4b78c0bca2e5143e5c05f7b09114eabcebec8a5eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\169c1ca7-977e-4c4a-9e46-516986a90605.vbs

Filesize
717B

MD5
cee5bde04d73a19d051baaa74d33fc33

SHA1
872f0bb42e4dce21659e551842be01dcd9e3667f

SHA256
eb1afedd1aa8481f7fb0a29492d984af998079a5c1f5ffd026e021a6b76c36f4

SHA512
d32fe9b6975e77cd115a97d1c55bf021081e69c8555ebc2ee1d2eda43b10b3b4ccde07c97b959b36d0efb37554dc445f1b6ded37137d3641d7a0bea3b0a31e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a3e074b-a3ec-41e5-a5ae-0b352c30a68a.vbs

Filesize
717B

MD5
99da60379d9bca8161277889df4f2732

SHA1
8e0f7068285168cc43a891a7c6e0bf0cac2dcc53

SHA256
2a08223ccd90dd6459660ec050cce18b594595a9c8739a5b5db8c5c24e4d7f78

SHA512
d2e3a30798493f3fa6f656034ed7222520caee03ba2412118bef0235780b25e770101a1c6f25297cfb41ace1edcf0ddf56873b4a6163c19af1c8e9b80198e4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f8dea70-4c1f-49fc-9d4c-382c19adf740.vbs

Filesize
717B

MD5
dad20ed730958c2878852840c22cecb1

SHA1
9c28db1256cc3c893be580434c8a4eda218758cd

SHA256
b0c38ddf0a154759ac85dfdbe59e65cef850ea8bf3d71c747192b84e1e5dbb87

SHA512
761581ca8f17e1a735ba9d5834334a8916f6b16fe72209749685f33993d58dae60b57be95462eb6779510df76078433f4d74d6279054e2e8cf5eea5a1068310e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4076f481-40bf-4120-bb04-6f4ceeb45ad5.vbs

Filesize
717B

MD5
8e770c77e6fcbecc14b5a68d82f97c61

SHA1
a17111f935d461a609850ebd6b892284de622c22

SHA256
7d21048c1e8dc8d18f223eb87d6a74e8c20cfda294a883c7a7597338e99ae7ac

SHA512
d2b373c2f7b78be7e296e1b8ffd77fe9b14ce9c4fc8d8bb436203da101af7c6472b2559d025c380692859da977b007c60e4d2af8e8d1b7f768bb64e5bb915f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f499d4f-87aa-4831-8b7a-3601f6d2dd73.vbs

Filesize
717B

MD5
e64ecf9e024c67b2add289fa947e6cb0

SHA1
5c86f3da5a8e5358376caa83cfed2a54140b1130

SHA256
260e6f6605fb847ff53b3270fbbfaa29f9ca422ba6cf0aa13ab4b99c96a1aad8

SHA512
50f23f7e97f6a96b71b82164ec3b78fe946a5cd15db748d16a777000d48cb768e649ed8db93269c12dda4cc4e01fd3a695ed110b5fef66eb20f229cfd57cac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\56219707-fd03-44be-b64c-bf30b1036c31.vbs

Filesize
716B

MD5
04e5db94c2843671847437ea317eef3c

SHA1
66e0af47eae0d634cbc19754497949874070a79b

SHA256
062e5f40eb2ee9770f7944c61f2fef63df2f0f488cf32234bf6892a48c6c3ef0

SHA512
8e3d03635424c9fc95bce4ac55c74466bec440099b3648ec21cf23ea5d5b0965b5cd5ca1cb2a3618914d106fa8bb4b08ec3d1321713d04d3641d6fab6cad3e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\646b579e-a345-4e42-a5ba-a9b8a0f3d478.vbs

Filesize
716B

MD5
8f416291e0c7a335ea6a97cdce39ef52

SHA1
02aad8f7c1825bdadb5feef15925dcb9d7191df2

SHA256
402a0cfb71ad0888cdf06242ac97d68e12680d123814024c23e0f68696c50737

SHA512
ed84818c38e51a28f26208c99dc80e5b8e07ad31ba99efe14e6b2aac78f9d7f1ec716c1c4b434d57c879a9b3c527c68a1daa6df18a207b5b30d2b68f64aff066

Download Submit
C:\Users\Admin\AppData\Local\Temp\6919bc9e-3e97-4fed-ad72-ec43eeb5e746.vbs

Filesize
717B

MD5
53efeb178813b4d07f961c66a9f5ca43

SHA1
53708185951253744cc182348a1c195b1ba5cece

SHA256
645f78c4a17b144174e3a7cebedd812d657b145c25e070a7cb51b84b959bdc7a

SHA512
9a86d16abdb68cf5b5828c8011640a586a431176cb0cf0c4c691157faf1796418a51826f3a01755d369721c2ac2314061139323e38cbc4d838331ac3d060306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac06b0b0-40eb-49d9-9192-af04d081ac44.vbs

Filesize
716B

MD5
473800c4af0e57d4821b79de1a9c6518

SHA1
4bb8160f627efd5d3ee977308c5c00c42ceb722f

SHA256
1519faac5857a6f400351522fd5d5a4541c230b11f7f194d49cb9cd140685ed2

SHA512
c2aba03a77cc7be17ccd5a7915283ae64bf528345d0048a99d3b79f109f5b1dc8a582a68b5bcaad818af4b9ae707a8f5205e07bc7bd4c84965f2471d68bc114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b141de51-1de5-423d-991e-7d37896eaf45.vbs

Filesize
717B

MD5
d219fcc73f1f0813fe79bce9db08fd38

SHA1
7bf1e27a1b0fb4c2e6618b7a2a251f447c1fd16a

SHA256
e0a61cf090663ade5ce36df70ebe2a2eec1d2fd41a4529fc55f17b1e67b176c1

SHA512
e09aaa89b6dcdacd9bd5935e42aaf7841a590483f5b409e4b1fe360cd253f90be8813679cbe370729f68901c2029e8d513c45744598f296b240fe3f42306419c

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa7e7bc-4e70-412e-af1e-7038c6ea12e2.vbs

Filesize
717B

MD5
2dd5f54b9b88267fd6b07ba4fbf70544

SHA1
392db5a0b014940ddc97fd8b8b94b6fb0a2b9e01

SHA256
0ff125a04e9ae0f4a82711803bd38aa7e1a7efef2becf51978a1d9992310b263

SHA512
2886cc628c7858d11182ab8d33fbac74c0c180d83e7e26495667698cf6fb6515c72d120f825b06467cd86de2163463b9dc622ff44cbc945e12f14177aeb93157

Download Submit
C:\Users\Admin\AppData\Local\Temp\d270abae-c61d-42be-9e09-8c1a79ec09de.vbs

Filesize
493B

MD5
2d04c8cc7aa99771a31b68c111af46cc

SHA1
71eb1258990c0b4007cf732625e1ec52e4ad3745

SHA256
ddb0f24d0f9c75eedeb89575bb086e97f54e4ccbcd0de83dff7fa40ac38f7419

SHA512
af08ad262d270fc9f15bfa43b44974dc213dd6a8b7c329136adfe88e270260101cb793d0baed1ebc8a937ea03c192fa603901cc3e704787f8739713ed4eeafa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6d3e5ef-78d9-4705-a819-f72bc5fa8790.vbs

Filesize
717B

MD5
9fe2b29ebf561aa46eb3578830855272

SHA1
a05e2ef343e0368b1d6ac8c1591c9079effe4b05

SHA256
6a2e9a7dd3431a70dfa0c5480e390cca42c3907a44546868070a0af02292de83

SHA512
c9e61742753421b2c7baff386817319202cdd288845acd3812366bba6e6cd93827e04905a48619d3faa7dbef45aa917c367c7a46b9057d641a04fe5e2e9c3228

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9dabc0add49f492639ee09a9e9984242e3a8675.exe

Filesize
2.2MB

MD5
8a28a0fa221a3aa5eac3b926214b5cb2

SHA1
979abb378339f2f4197b6466c4744fe122e52b09

SHA256
78a26081ddb3332c2e7fa68aceebba5ba4c2e6eb26df740698ad7ce4ff3e5e3d

SHA512
bbbe8c92de2a0d917e79cf0eb6d274d2ae942c4f64a66a56e18fbf1b8dc649fd12e5cc352abc64c37c4c835df2c8b7511da27b9270ba7da96a2d797f9aff0f45

Download Submit
memory/1184-347-0x0000000000FA0000-0x00000000011CE000-memory.dmp

Filesize
2.2MB

Download
memory/1948-22-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

Filesize
32KB

Download
memory/1948-26-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/1948-35-0x000000001BF50000-0x000000001BF5A000-memory.dmp

Filesize
40KB

Download
memory/1948-38-0x000000001B810000-0x000000001B81E000-memory.dmp

Filesize
56KB

Download
memory/1948-39-0x000000001B800000-0x000000001B80C000-memory.dmp

Filesize
48KB

Download
memory/1948-37-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/1948-40-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/1948-41-0x000000001B830000-0x000000001B83C000-memory.dmp

Filesize
48KB

Download
memory/1948-36-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/1948-33-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/1948-32-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/1948-31-0x000000001C280000-0x000000001C7A8000-memory.dmp

Filesize
5.2MB

Download
memory/1948-30-0x000000001B780000-0x000000001B792000-memory.dmp

Filesize
72KB

Download
memory/1948-28-0x000000001B770000-0x000000001B778000-memory.dmp

Filesize
32KB

Download
memory/1948-27-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/1948-34-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/1948-25-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/1948-24-0x000000001B610000-0x000000001B61A000-memory.dmp

Filesize
40KB

Download
memory/1948-23-0x000000001B620000-0x000000001B630000-memory.dmp

Filesize
64KB

Download
memory/1948-20-0x000000001B580000-0x000000001B596000-memory.dmp

Filesize
88KB

Download
memory/1948-21-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/1948-18-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/1948-19-0x000000001B570000-0x000000001B580000-memory.dmp

Filesize
64KB

Download
memory/1948-12-0x00007FFFE03F3000-0x00007FFFE03F5000-memory.dmp

Filesize
8KB

Download
memory/1948-13-0x0000000000700000-0x000000000092E000-memory.dmp

Filesize
2.2MB

Download
memory/1948-17-0x000000001B5C0000-0x000000001B610000-memory.dmp

Filesize
320KB

Download
memory/1948-16-0x000000001B550000-0x000000001B56C000-memory.dmp

Filesize
112KB

Download
memory/1948-15-0x0000000001150000-0x000000000115E000-memory.dmp

Filesize
56KB

Download
memory/1948-14-0x0000000001140000-0x000000000114E000-memory.dmp

Filesize
56KB

Download
memory/2628-306-0x0000000000750000-0x000000000097E000-memory.dmp

Filesize
2.2MB

Download
memory/4748-312-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download