dcrat | a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Size

1.5MB
MD5

a7a220cf43d05ee623ddbad2968f41a0
SHA1

56ffc53df323457898d45a277bb765f1ebb830e5
SHA256

a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638
SHA512

6c4b5515d975bd861d4f2f6719b28e51e5b3b3f0f7f084d49ddd3283ffb91375c886e833c237b1c2419811ee230605713f5f200ee7f78a6e3cd407f57b579719
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Program Files\Windows Security\6203df4a6bafc7		a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
		4360	schtasks.exe
		2756	schtasks.exe
		2280	schtasks.exe
		1408	schtasks.exe
		224	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\DMRCDecoder\\dwm.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\DMRCDecoder\\dwm.exe\", \"C:\\Windows\\System32\\globinputhost\\RuntimeBroker.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\DMRCDecoder\\dwm.exe\", \"C:\\Windows\\System32\\globinputhost\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\lsass.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Security\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2504	schtasks.exe	85

UAC bypass 3 TTPs 45 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4456	powershell.exe
3816	powershell.exe
5024	powershell.exe
564	powershell.exe
428	powershell.exe
3792	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
4876	RuntimeBroker.exe
4032	RuntimeBroker.exe
2620	RuntimeBroker.exe
2292	RuntimeBroker.exe
2404	RuntimeBroker.exe
4984	RuntimeBroker.exe
4280	RuntimeBroker.exe
2620	RuntimeBroker.exe
4520	RuntimeBroker.exe
3376	RuntimeBroker.exe
1492	RuntimeBroker.exe
2264	RuntimeBroker.exe
2248	RuntimeBroker.exe
5060	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Security\\lsass.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\globinputhost\\RuntimeBroker.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Security\\lsass.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\DMRCDecoder\\dwm.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\DMRCDecoder\\dwm.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\globinputhost\\RuntimeBroker.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\globinputhost\9e8d7a4ca61bd9	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\DMRCDecoder\RCXB123.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\DMRCDecoder\dwm.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\globinputhost\RCXB327.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\System32\globinputhost\RuntimeBroker.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\DMRCDecoder\dwm.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\DMRCDecoder\6cb0b6c459d5d3	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\System32\globinputhost\RuntimeBroker.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Security\lsass.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Program Files\Windows Security\6203df4a6bafc7	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Program Files\Windows Security\RCXAD19.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Program Files\Windows Security\lsass.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\RCXAF1E.tmp	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\55b276f4edf653	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4360	schtasks.exe
2756	schtasks.exe
2280	schtasks.exe
1408	schtasks.exe
224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
428	powershell.exe
428	powershell.exe
564	powershell.exe
564	powershell.exe
5024	powershell.exe
5024	powershell.exe
3792	powershell.exe
3792	powershell.exe
564	powershell.exe
3816	powershell.exe
3816	powershell.exe
428	powershell.exe
4456	powershell.exe
4456	powershell.exe
3792	powershell.exe
4456	powershell.exe
5024	powershell.exe
3816	powershell.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe
4876	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4876	RuntimeBroker.exe
Token: SeDebugPrivilege	4032	RuntimeBroker.exe
Token: SeDebugPrivilege	2620	RuntimeBroker.exe
Token: SeDebugPrivilege	2292	RuntimeBroker.exe
Token: SeDebugPrivilege	2404	RuntimeBroker.exe
Token: SeDebugPrivilege	4984	RuntimeBroker.exe
Token: SeDebugPrivilege	4280	RuntimeBroker.exe
Token: SeDebugPrivilege	2620	RuntimeBroker.exe
Token: SeDebugPrivilege	4520	RuntimeBroker.exe
Token: SeDebugPrivilege	3376	RuntimeBroker.exe
Token: SeDebugPrivilege	1492	RuntimeBroker.exe
Token: SeDebugPrivilege	2264	RuntimeBroker.exe
Token: SeDebugPrivilege	2248	RuntimeBroker.exe
Token: SeDebugPrivilege	5060	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 5024	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	92
PID 3500 wrote to memory of 5024	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	92
PID 3500 wrote to memory of 564	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	93
PID 3500 wrote to memory of 564	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	93
PID 3500 wrote to memory of 428	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	94
PID 3500 wrote to memory of 428	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	94
PID 3500 wrote to memory of 3792	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	95
PID 3500 wrote to memory of 3792	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	95
PID 3500 wrote to memory of 4456	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	96
PID 3500 wrote to memory of 4456	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	96
PID 3500 wrote to memory of 3816	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	97
PID 3500 wrote to memory of 3816	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	97
PID 3500 wrote to memory of 3376	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	104
PID 3500 wrote to memory of 3376	3500	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe	104
PID 3376 wrote to memory of 1640	3376	cmd.exe	106
PID 3376 wrote to memory of 1640	3376	cmd.exe	106
PID 3376 wrote to memory of 4876	3376	cmd.exe	109
PID 3376 wrote to memory of 4876	3376	cmd.exe	109
PID 4876 wrote to memory of 4080	4876	RuntimeBroker.exe	110
PID 4876 wrote to memory of 4080	4876	RuntimeBroker.exe	110
PID 4876 wrote to memory of 3132	4876	RuntimeBroker.exe	111
PID 4876 wrote to memory of 3132	4876	RuntimeBroker.exe	111
PID 4080 wrote to memory of 4032	4080	WScript.exe	112
PID 4080 wrote to memory of 4032	4080	WScript.exe	112
PID 4032 wrote to memory of 4992	4032	RuntimeBroker.exe	113
PID 4032 wrote to memory of 4992	4032	RuntimeBroker.exe	113
PID 4032 wrote to memory of 4908	4032	RuntimeBroker.exe	114
PID 4032 wrote to memory of 4908	4032	RuntimeBroker.exe	114
PID 4992 wrote to memory of 2620	4992	WScript.exe	115
PID 4992 wrote to memory of 2620	4992	WScript.exe	115
PID 2620 wrote to memory of 2088	2620	RuntimeBroker.exe	116
PID 2620 wrote to memory of 2088	2620	RuntimeBroker.exe	116
PID 2620 wrote to memory of 4504	2620	RuntimeBroker.exe	117
PID 2620 wrote to memory of 4504	2620	RuntimeBroker.exe	117
PID 2088 wrote to memory of 2292	2088	WScript.exe	119
PID 2088 wrote to memory of 2292	2088	WScript.exe	119
PID 2292 wrote to memory of 4864	2292	RuntimeBroker.exe	120
PID 2292 wrote to memory of 4864	2292	RuntimeBroker.exe	120
PID 2292 wrote to memory of 4736	2292	RuntimeBroker.exe	121
PID 2292 wrote to memory of 4736	2292	RuntimeBroker.exe	121
PID 4864 wrote to memory of 2404	4864	WScript.exe	123
PID 4864 wrote to memory of 2404	4864	WScript.exe	123
PID 2404 wrote to memory of 2196	2404	RuntimeBroker.exe	124
PID 2404 wrote to memory of 2196	2404	RuntimeBroker.exe	124
PID 2404 wrote to memory of 1268	2404	RuntimeBroker.exe	125
PID 2404 wrote to memory of 1268	2404	RuntimeBroker.exe	125
PID 2196 wrote to memory of 4984	2196	WScript.exe	126
PID 2196 wrote to memory of 4984	2196	WScript.exe	126
PID 4984 wrote to memory of 4944	4984	RuntimeBroker.exe	127
PID 4984 wrote to memory of 4944	4984	RuntimeBroker.exe	127
PID 4984 wrote to memory of 3620	4984	RuntimeBroker.exe	128
PID 4984 wrote to memory of 3620	4984	RuntimeBroker.exe	128
PID 4944 wrote to memory of 4280	4944	WScript.exe	129
PID 4944 wrote to memory of 4280	4944	WScript.exe	129
PID 4280 wrote to memory of 3888	4280	RuntimeBroker.exe	130
PID 4280 wrote to memory of 3888	4280	RuntimeBroker.exe	130
PID 4280 wrote to memory of 5020	4280	RuntimeBroker.exe	131
PID 4280 wrote to memory of 5020	4280	RuntimeBroker.exe	131
PID 3888 wrote to memory of 2620	3888	WScript.exe	132
PID 3888 wrote to memory of 2620	3888	WScript.exe	132
PID 2620 wrote to memory of 4940	2620	RuntimeBroker.exe	133
PID 2620 wrote to memory of 4940	2620	RuntimeBroker.exe	133
PID 2620 wrote to memory of 4232	2620	RuntimeBroker.exe	134
PID 2620 wrote to memory of 4232	2620	RuntimeBroker.exe	134

System policy modification 1 TTPs 45 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe
"C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DMRCDecoder\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\globinputhost\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A5i6Lhsieb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1640
- - C:\Windows\System32\globinputhost\RuntimeBroker.exe
    "C:\Windows\System32\globinputhost\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3b40d01-b1be-4532-a95b-606e39603a44.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\503574aa-c2a4-4393-905b-8007e75f38c9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41570de0-5e05-4272-a12d-a639cbe03068.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cb60321-7427-4e09-9096-6953b7ecc668.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d34f527-5a1f-4b1c-b2ab-74e06fb10039.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836d4a14-057c-4eba-bd46-25e5d8f48269.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\280df07d-d1d6-4b44-91d1-64a339733887.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a4845f-b3bb-4416-bb72-2130d604d6a0.vbs"
        18⤵
        
        PID:4940
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e228e99e-5556-40cb-a078-825d6598b17e.vbs"
        20⤵
        
        PID:4276
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6184e5-058e-4136-8904-fd301881cfc3.vbs"
        22⤵
        
        PID:1764
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317e74ba-4eaa-4187-930a-1ac072fbd524.vbs"
        24⤵
        
        PID:3092
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaab18ce-580e-4ef8-aa8b-f477c4ab8713.vbs"
        26⤵
        
        PID:4280
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf57c521-565e-4ac0-897f-6cb3b3bc4acb.vbs"
        28⤵
        
        PID:4768
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        
        C:\Windows\System32\globinputhost\RuntimeBroker.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\106db33f-d223-4195-9da0-7189b715eeb9.vbs"
        30⤵
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73cf234-b3a1-4b1f-9ae9-ae337bdeb6c7.vbs"
        30⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf2dc118-0192-412b-8b5a-9e02a630fd9b.vbs"
        28⤵
        
        PID:3724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993cec9d-d840-4fb7-98b4-16130302a5df.vbs"
        26⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0894b730-95d4-424c-ba32-a0ef8aa457cb.vbs"
        24⤵
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5fda6c-3c39-45ce-be3e-908e83f52885.vbs"
        22⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3caf573-82c3-4dcc-aed4-500f6c321dd3.vbs"
        20⤵
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a77d6d72-99c3-4fb4-a542-9d5289d7a335.vbs"
        18⤵
        
        PID:4232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be38c08-67d4-4bd4-9de5-a0d1da1d78ee.vbs"
        16⤵
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\551e9a1b-2d70-4d89-ac86-a2c7e128a916.vbs"
        14⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07cc1e14-0d0e-4047-ab66-557305f5d403.vbs"
        12⤵
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1969b04f-dab0-4af0-a052-69530cb0269d.vbs"
        10⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5752d027-3b03-4c87-9cc8-84c252a10184.vbs"
        8⤵
        
        PID:4504
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f3299dc-94c7-4c9d-aacb-e000d65c33e1.vbs"
        6⤵
        
        PID:4908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ff597d4-dc0f-4f64-ab4a-59aff7cc9865.vbs"
      4⤵
      PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\DMRCDecoder\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\globinputhost\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\taskhostw.exe

Filesize
1.5MB

MD5
a7a220cf43d05ee623ddbad2968f41a0

SHA1
56ffc53df323457898d45a277bb765f1ebb830e5

SHA256
a6e2a358641009847064e5b59d1b9393188d51368cb3fa232eebc7fa2a0b7638

SHA512
6c4b5515d975bd861d4f2f6719b28e51e5b3b3f0f7f084d49ddd3283ffb91375c886e833c237b1c2419811ee230605713f5f200ee7f78a6e3cd407f57b579719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\106db33f-d223-4195-9da0-7189b715eeb9.vbs

Filesize
727B

MD5
3540f4b7bcb76ac6a3190ecef7320925

SHA1
eaac14d3f0980e4b7c118d79f318ceb1adba7f71

SHA256
be57d30e8c035e9bc582a9520a6c5aeb5311c3ba389150433e4bac45de094901

SHA512
befea52cbe32ed0af5110d391292fd48f5033e4f1d20a193f1d493797fb271f16a4ca963f1918c2abd12f9456282a84f86c696ec705d47686c44ac7d0426613a

Download Submit
C:\Users\Admin\AppData\Local\Temp\280df07d-d1d6-4b44-91d1-64a339733887.vbs

Filesize
727B

MD5
77faa3a182d498e31739a5875876f1a5

SHA1
c991711ee026c11c31cfffc74b73baa49a72629a

SHA256
e291ed2cb60eaffb8eb3946d093f1169a50cf6d5103ccdc446e044b6d993b02a

SHA512
9a8436cf539ba72ad5d46366b9d1c69081ccf272f991221852500f04276dca5e3820dce4b20cc44a3bce5c48b41f3ac4bc4a08fc698381b169977af28488a9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cb60321-7427-4e09-9096-6953b7ecc668.vbs

Filesize
727B

MD5
ab5b4ca2d63b4a822e1c72781debf128

SHA1
ffbb876f473384eed5be4a28f3cdd1b583fc1356

SHA256
136f4dfc4196c33e0eb2a73e3a7b9f97615de1faf678a7d0539f1f9306538463

SHA512
c4d59369ef535e6c0885527b84d5bd857a1ae3ac3e678e4a7dd502d42715fb8ce97492b216308a5d10f9fcba112c75e3bb0d93806860b716201d7320b889abaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\317e74ba-4eaa-4187-930a-1ac072fbd524.vbs

Filesize
727B

MD5
57e0a1cd59f82f977485c9ae4fc49eca

SHA1
5aa27c74641bbfc3468a46e5d5b1201b6270480f

SHA256
7fca885ccdfdf98cd7aaf340adbb95dc8fbc766586f61794c4286367daaf97d4

SHA512
9645376371a63736bb1531ba65f4a81262b5e8d01d29c0bad57832f48af8ef38c5faf5f6e525a229a6a6bb9509104762233e622026d1a7e6444759ce2855870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d34f527-5a1f-4b1c-b2ab-74e06fb10039.vbs

Filesize
727B

MD5
a37d44686c320ae89ba93f78eb32f276

SHA1
0d15bb43e113626851de64f9e2a0c4e747298264

SHA256
f0c03fc06e9b06638353ffcb9bca25b702b985f405a076d3bb278dfa27a7d6c5

SHA512
dc33d0cc438a94a50e85e59cf20963569a4a9d773dc3006dbf72569dc72cdd6ad1d100cf4f3e7279fdbf329f16545499bf1d42cdd360138253432f6dd5e7e34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41570de0-5e05-4272-a12d-a639cbe03068.vbs

Filesize
727B

MD5
99f82aaacfc644c5a9f5139d9753a497

SHA1
b62ba53770ad7cf3031fa152ba53ec02815a1aef

SHA256
f08048a177f7d2743d0db1180863dce336bbd3a8ca19b56c220240ef7de37098

SHA512
c9487f71cb8ad4830fd32b946d23de0d32b57cd94b67db787f2e063449347588cebae40133095dd695cfdb1d5629b5cf2f5092b1f79bbd859edc4f2086532e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\503574aa-c2a4-4393-905b-8007e75f38c9.vbs

Filesize
727B

MD5
0d52ea1483991c49d3007dc549426f34

SHA1
71632f9ae96eeb0bc08f84ede9752c1e6d245060

SHA256
dc7a604b38d092e1eae6c834c65c4a3b6e792754066745c38d0911e34887e45f

SHA512
74d8a715a0bc4ccd51906f356cc0f779dce68aec4e0a54d3258406648549a64e3e8afd84dafbba14fe364494409eb2c12d2dbc98a8027c8d710a57ccafdd6ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a6184e5-058e-4136-8904-fd301881cfc3.vbs

Filesize
727B

MD5
046f3ed71fd54276f2cecf65543fa308

SHA1
cdff8cb3a11656fff31d4b2bc218f0f414a550ee

SHA256
9037b358e46d8284fff7e1a2f19ed14150deaedeee00af470c355970a113a7f1

SHA512
6d682665c80d4c8decc2b518f04f6858cb4cdbe9193b2d0a3f3652c559250097b5a1b4ddb4d6e09edecb1b9a31600d54b1ed1871fc1de088b1e65b8d010f04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\836d4a14-057c-4eba-bd46-25e5d8f48269.vbs

Filesize
727B

MD5
248161c193ac26a297dd4d7513fce780

SHA1
fbd21e9cd316b0fb219f6c52fc36cf43fb320cf9

SHA256
09b96da2f0ec4a8dc5647bac7a076b2c85098309429d9081a43c6f0b346f7a72

SHA512
d310bea7d862a2d65efb6d011332c2ebc6b6c972c09c57e311c312e72a5e73b7cfde3616c15b450f9b6239693b2d5cf10d6c402496c48f21ff1b2e2c31a0a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ff597d4-dc0f-4f64-ab4a-59aff7cc9865.vbs

Filesize
503B

MD5
2a8636fd4d3021ce7e8bc41a329538fb

SHA1
5323e6be781c54c13a11fe89cee50243b7845485

SHA256
0674db518ec4c8f5cba322908041adb3ee2d1ac409ef0de64bea57be791d3c87

SHA512
4a6de0749ad52d596d98d110493490c756cbcda599ddb790090c5af407135f2c0d273e55170a15f69973c8c96d704cfa5a06ae372b501dfbc6979c3bfe5e0dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5i6Lhsieb.bat

Filesize
215B

MD5
e845fdda5e548e1dff12417c8b197bf4

SHA1
3fd3449f4f0d106df426c9fae3731c5bb5aea9ce

SHA256
4705a0705a4cb73aa1b5eb09bae515eb9f1a24333e84e5934a8149c6b78b4664

SHA512
762b63bee0b75ade1374b257c2943fe97a34ef70840f6222f91d0316907e0abb0de16331ce36c0ad15bf30cb4fb2a58b5887ef35ce810e4b59c03dc19f6a4bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iakpmrez.qki.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3b40d01-b1be-4532-a95b-606e39603a44.vbs

Filesize
727B

MD5
b3e33ad777c4f84e84450a90ac645bbc

SHA1
b66df39957d200686089dc8f8cf7744a4ddbe3c3

SHA256
4d5270e098437b2b5928304d9e9af4583aecf65b6c4bff21bccca7ae366e7c94

SHA512
bbb9b041873424d791f0580d877670c31a6c3a6508c41dd384ad50d50975a6e14b28fb354b415320b462667a94810b0d8cc680913d3fcc4ff8490ef02fcce383

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf57c521-565e-4ac0-897f-6cb3b3bc4acb.vbs

Filesize
727B

MD5
586bdaadbc669716eecbd2f6217c38b0

SHA1
cee5523a5a589d48d2837a57142ec2908e00890e

SHA256
f9e1694d4da40e4da27e86c9e768979816cd94dcfa9314886e292d6c3d812a0f

SHA512
556aba53526f0be181cf6c934e5b357dea1342b9e17f8eb51ef12b9f90b5442d34b1b0bbb2e980eb5810dcd1e411d8c663b97eea4bccdadfb9d8cf70a865038e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e228e99e-5556-40cb-a078-825d6598b17e.vbs

Filesize
727B

MD5
c62a3b5a960414bd460a13712273baba

SHA1
eb11e2e4ae7f61857df313a4c3f5a99123214841

SHA256
cfedcf67960c80dd783c1164a0d20d98376ccdbdc063bfb76d99cee053788b9e

SHA512
e101c23cc8a3728ca80d4d5285b241c7b45359bccf0a1720fa6a579b03b3c32ad416441fe2b66337cb8b494fdf15503b26345bf5370943b20d12d4adf954a463

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaab18ce-580e-4ef8-aa8b-f477c4ab8713.vbs

Filesize
727B

MD5
5c2ece15d66e654a30dec90e24dcd38f

SHA1
c2e98f95356186ebf3223599d806712bb3a2a775

SHA256
2d4e9ab7a1eca586fa201dec88e99e04590dc0fe6da1caf0b0e71507e8539d0a

SHA512
6489af464c101df5f3ef5688734b6effe9f577d1fa4af2ebd40452b41522d3ad87610fab0b3511ba1eda42b1da40a5b7a9c37b918ad9011e31b887b051d7e3e5

Download Submit
memory/428-83-0x00000294F9CA0000-0x00000294F9CC2000-memory.dmp

Filesize
136KB

Download
memory/2620-228-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/3500-13-0x000000001C240000-0x000000001C24A000-memory.dmp

Filesize
40KB

Download
memory/3500-24-0x00007FFED61E0000-0x00007FFED6CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-11-0x000000001C220000-0x000000001C230000-memory.dmp

Filesize
64KB

Download
memory/3500-10-0x000000001C210000-0x000000001C220000-memory.dmp

Filesize
64KB

Download
memory/3500-20-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/3500-16-0x000000001C270000-0x000000001C278000-memory.dmp

Filesize
32KB

Download
memory/3500-17-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/3500-18-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/3500-12-0x000000001C230000-0x000000001C238000-memory.dmp

Filesize
32KB

Download
memory/3500-15-0x000000001C260000-0x000000001C26A000-memory.dmp

Filesize
40KB

Download
memory/3500-14-0x000000001C250000-0x000000001C25C000-memory.dmp

Filesize
48KB

Download
memory/3500-25-0x00007FFED61E0000-0x00007FFED6CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-1-0x0000000000E10000-0x0000000000F8E000-memory.dmp

Filesize
1.5MB

Download
memory/3500-0-0x00007FFED61E3000-0x00007FFED61E5000-memory.dmp

Filesize
8KB

Download
memory/3500-21-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/3500-9-0x000000001C200000-0x000000001C20C000-memory.dmp

Filesize
48KB

Download
memory/3500-8-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/3500-2-0x00007FFED61E0000-0x00007FFED6CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-7-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

Filesize
48KB

Download
memory/3500-77-0x00007FFED61E0000-0x00007FFED6CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-6-0x000000001C1C0000-0x000000001C1CA000-memory.dmp

Filesize
40KB

Download
memory/3500-5-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

Filesize
48KB

Download
memory/3500-3-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/3500-4-0x0000000003120000-0x0000000003132000-memory.dmp

Filesize
72KB

Download
memory/4280-216-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/4876-148-0x000000001C900000-0x000000001C912000-memory.dmp

Filesize
72KB

Download