dcrat | f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f723cd9002531ad31487e588d1132bc.exe
Size

1.1MB
MD5

6f723cd9002531ad31487e588d1132bc
SHA1

c794aab74ea0c76d1c077ca87d175014bc76f0f5
SHA256

c9206100b2d07324c79a83cb515893a79d39a1de3a6dac7a72a7b167c41b6910
SHA512

198154faa272369a965747852699d562c43622f9fbe94daf2cd4d62c63e64f7c542904e582f074f57843fb35e5db500149ee58c1826d733688e54eb6da6ad5a2
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 25 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
3892	schtasks.exe
5388	schtasks.exe
112	schtasks.exe
3692	schtasks.exe
4724	schtasks.exe
5520	schtasks.exe
1264	schtasks.exe
3428	schtasks.exe
2224	schtasks.exe
5408	schtasks.exe
5460	schtasks.exe
1212	schtasks.exe
5080	schtasks.exe
2728	schtasks.exe
5436	schtasks.exe
4784	schtasks.exe
2888	schtasks.exe
908	schtasks.exe
4412	schtasks.exe
2184	schtasks.exe
5480	schtasks.exe
5544	schtasks.exe
4280	schtasks.exe
5568	schtasks.exe
2260	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 25 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Windows\\PLA\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\", \"C:\\Windows\\system\\explorer.exe\", \"C:\\Windows\\System32\\APHostService\\dllhost.exe\", \"C:\\Windows\\bfsvc\\explorer.exe\", \"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\", \"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Registry.exe\", \"C:\\Windows\\PLA\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\", \"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\", \"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\", \"C:\\Windows\\win\\sysmon.exe\", \"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\", \"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\", \"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\", \"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\", \"C:\\Documents and Settings\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Start Menu\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe

Process spawned unexpected child process 25 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5480	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5520	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	812	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	812	schtasks.exe	87

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5396	powershell.exe
3368	powershell.exe
1648	powershell.exe
5368	powershell.exe
5448	powershell.exe
2776	powershell.exe
732	powershell.exe
4340	powershell.exe
5740	powershell.exe
5772	powershell.exe
5756	powershell.exe
5420	powershell.exe
5472	powershell.exe
3792	powershell.exe
3892	powershell.exe
1596	powershell.exe
5748	powershell.exe
5820	powershell.exe
5804	powershell.exe
5796	powershell.exe
880	powershell.exe
1240	powershell.exe
412	powershell.exe
436	powershell.exe
3568	powershell.exe
1340	powershell.exe
5788	powershell.exe
5780	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6f723cd9002531ad31487e588d1132bc.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 10 IoCs

pid	Process
3844	6f723cd9002531ad31487e588d1132bc.exe
5300	6f723cd9002531ad31487e588d1132bc.exe
5756	RuntimeBroker.exe
6140	RuntimeBroker.exe
4280	RuntimeBroker.exe
3256	RuntimeBroker.exe
5268	RuntimeBroker.exe
440	RuntimeBroker.exe
1232	RuntimeBroker.exe
5912	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Documents and Settings\\StartMenuExperienceHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\bfsvc\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PLA\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Start Menu\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\system\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\APHostService\\dllhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\LockAppBroker\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\dotnet\\swidtag\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Start Menu\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\dwmapi\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\mfc140jpn\\backgroundTaskHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\sensrsvc\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Documents and Settings\\StartMenuExperienceHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\system\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\APHostService\\dllhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\d9c22b4eaa3c0b9c12c7\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\win\\sysmon.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\msvfw32\\taskhostw.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\systemcpl\\RuntimeBroker.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\bfsvc\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\BingConfigurationClient\\SearchApp.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\dfe2e59cddd00040f555dab607351a1d\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Installer\\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\\OfficeClickToRun.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Registry.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PLA\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sensrsvc\RCX6249.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\APHostService\dllhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\mfc140jpn\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\APHostService\5940a34987c991	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\LockAppBroker\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\dwmapi\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\dwmapi\eddb19405b7ce1	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\mfc140jpn\eddb19405b7ce1	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\sensrsvc\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\msvfw32\taskhostw.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\sensrsvc\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\systemcpl\RuntimeBroker.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\LockAppBroker\eddb19405b7ce1	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\LockAppBroker\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\mfc140jpn\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\msvfw32\RCX5E20.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\systemcpl\RuntimeBroker.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\systemcpl\9e8d7a4ca61bd9	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\dwmapi\backgroundTaskHost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\APHostService\dllhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\msvfw32\taskhostw.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\msvfw32\ea9f0e6c9e2dcd	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\sensrsvc\f3b6ecef712a24	6f723cd9002531ad31487e588d1132bc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Program Files\dotnet\swidtag\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Program Files\dotnet\swidtag\886983d96e3d3e	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCX644D.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Program Files\dotnet\swidtag\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\bfsvc\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\OfficeClickToRun.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\win\121e5b5079f7c0	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\system\7a0fd90576e088	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\bfsvc\7a0fd90576e088	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\system\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\bfsvc\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\OfficeClickToRun.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\win\sysmon.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\e6c9b481da804f	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\PLA\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\PLA\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\38384e6a620884	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\win\RCX5C1C.tmp	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\PLA\886983d96e3d3e	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\RCX5728.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\win\sysmon.exe	6f723cd9002531ad31487e588d1132bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	6f723cd9002531ad31487e588d1132bc.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6f723cd9002531ad31487e588d1132bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6f723cd9002531ad31487e588d1132bc.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4784	schtasks.exe
4412	schtasks.exe
2888	schtasks.exe
112	schtasks.exe
5568	schtasks.exe
3428	schtasks.exe
4724	schtasks.exe
5408	schtasks.exe
5436	schtasks.exe
5520	schtasks.exe
1212	schtasks.exe
1264	schtasks.exe
2728	schtasks.exe
2184	schtasks.exe
4280	schtasks.exe
3692	schtasks.exe
5388	schtasks.exe
5460	schtasks.exe
2260	schtasks.exe
3892	schtasks.exe
2224	schtasks.exe
908	schtasks.exe
5480	schtasks.exe
5544	schtasks.exe
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
1596	powershell.exe
1596	powershell.exe
732	powershell.exe
732	powershell.exe
3568	powershell.exe
3568	powershell.exe
2776	powershell.exe
2776	powershell.exe
436	powershell.exe
436	powershell.exe
1340	powershell.exe
1340	powershell.exe
1240	powershell.exe
1240	powershell.exe
4340	powershell.exe
4340	powershell.exe
4356	6f723cd9002531ad31487e588d1132bc.exe
412	powershell.exe
412	powershell.exe
3892	powershell.exe
3892	powershell.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3844	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5796	powershell.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5300	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	5472	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	5756	RuntimeBroker.exe
Token: SeDebugPrivilege	6140	RuntimeBroker.exe
Token: SeDebugPrivilege	4280	RuntimeBroker.exe
Token: SeDebugPrivilege	3256	RuntimeBroker.exe
Token: SeDebugPrivilege	5268	RuntimeBroker.exe
Token: SeDebugPrivilege	440	RuntimeBroker.exe
Token: SeDebugPrivilege	1232	RuntimeBroker.exe
Token: SeDebugPrivilege	5912	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1340	4356	6f723cd9002531ad31487e588d1132bc.exe	102
PID 4356 wrote to memory of 1340	4356	6f723cd9002531ad31487e588d1132bc.exe	102
PID 4356 wrote to memory of 3368	4356	6f723cd9002531ad31487e588d1132bc.exe	103
PID 4356 wrote to memory of 3368	4356	6f723cd9002531ad31487e588d1132bc.exe	103
PID 4356 wrote to memory of 3568	4356	6f723cd9002531ad31487e588d1132bc.exe	104
PID 4356 wrote to memory of 3568	4356	6f723cd9002531ad31487e588d1132bc.exe	104
PID 4356 wrote to memory of 4340	4356	6f723cd9002531ad31487e588d1132bc.exe	105
PID 4356 wrote to memory of 4340	4356	6f723cd9002531ad31487e588d1132bc.exe	105
PID 4356 wrote to memory of 436	4356	6f723cd9002531ad31487e588d1132bc.exe	106
PID 4356 wrote to memory of 436	4356	6f723cd9002531ad31487e588d1132bc.exe	106
PID 4356 wrote to memory of 412	4356	6f723cd9002531ad31487e588d1132bc.exe	107
PID 4356 wrote to memory of 412	4356	6f723cd9002531ad31487e588d1132bc.exe	107
PID 4356 wrote to memory of 1596	4356	6f723cd9002531ad31487e588d1132bc.exe	108
PID 4356 wrote to memory of 1596	4356	6f723cd9002531ad31487e588d1132bc.exe	108
PID 4356 wrote to memory of 3892	4356	6f723cd9002531ad31487e588d1132bc.exe	109
PID 4356 wrote to memory of 3892	4356	6f723cd9002531ad31487e588d1132bc.exe	109
PID 4356 wrote to memory of 732	4356	6f723cd9002531ad31487e588d1132bc.exe	110
PID 4356 wrote to memory of 732	4356	6f723cd9002531ad31487e588d1132bc.exe	110
PID 4356 wrote to memory of 2776	4356	6f723cd9002531ad31487e588d1132bc.exe	111
PID 4356 wrote to memory of 2776	4356	6f723cd9002531ad31487e588d1132bc.exe	111
PID 4356 wrote to memory of 3792	4356	6f723cd9002531ad31487e588d1132bc.exe	112
PID 4356 wrote to memory of 3792	4356	6f723cd9002531ad31487e588d1132bc.exe	112
PID 4356 wrote to memory of 1240	4356	6f723cd9002531ad31487e588d1132bc.exe	113
PID 4356 wrote to memory of 1240	4356	6f723cd9002531ad31487e588d1132bc.exe	113
PID 4356 wrote to memory of 3844	4356	6f723cd9002531ad31487e588d1132bc.exe	126
PID 4356 wrote to memory of 3844	4356	6f723cd9002531ad31487e588d1132bc.exe	126
PID 3844 wrote to memory of 5740	3844	6f723cd9002531ad31487e588d1132bc.exe	137
PID 3844 wrote to memory of 5740	3844	6f723cd9002531ad31487e588d1132bc.exe	137
PID 3844 wrote to memory of 5748	3844	6f723cd9002531ad31487e588d1132bc.exe	138
PID 3844 wrote to memory of 5748	3844	6f723cd9002531ad31487e588d1132bc.exe	138
PID 3844 wrote to memory of 5756	3844	6f723cd9002531ad31487e588d1132bc.exe	139
PID 3844 wrote to memory of 5756	3844	6f723cd9002531ad31487e588d1132bc.exe	139
PID 3844 wrote to memory of 5772	3844	6f723cd9002531ad31487e588d1132bc.exe	141
PID 3844 wrote to memory of 5772	3844	6f723cd9002531ad31487e588d1132bc.exe	141
PID 3844 wrote to memory of 5780	3844	6f723cd9002531ad31487e588d1132bc.exe	142
PID 3844 wrote to memory of 5780	3844	6f723cd9002531ad31487e588d1132bc.exe	142
PID 3844 wrote to memory of 5788	3844	6f723cd9002531ad31487e588d1132bc.exe	143
PID 3844 wrote to memory of 5788	3844	6f723cd9002531ad31487e588d1132bc.exe	143
PID 3844 wrote to memory of 5796	3844	6f723cd9002531ad31487e588d1132bc.exe	144
PID 3844 wrote to memory of 5796	3844	6f723cd9002531ad31487e588d1132bc.exe	144
PID 3844 wrote to memory of 5804	3844	6f723cd9002531ad31487e588d1132bc.exe	145
PID 3844 wrote to memory of 5804	3844	6f723cd9002531ad31487e588d1132bc.exe	145
PID 3844 wrote to memory of 5820	3844	6f723cd9002531ad31487e588d1132bc.exe	147
PID 3844 wrote to memory of 5820	3844	6f723cd9002531ad31487e588d1132bc.exe	147
PID 3844 wrote to memory of 5300	3844	6f723cd9002531ad31487e588d1132bc.exe	155
PID 3844 wrote to memory of 5300	3844	6f723cd9002531ad31487e588d1132bc.exe	155
PID 5300 wrote to memory of 880	5300	6f723cd9002531ad31487e588d1132bc.exe	163
PID 5300 wrote to memory of 880	5300	6f723cd9002531ad31487e588d1132bc.exe	163
PID 5300 wrote to memory of 1648	5300	6f723cd9002531ad31487e588d1132bc.exe	164
PID 5300 wrote to memory of 1648	5300	6f723cd9002531ad31487e588d1132bc.exe	164
PID 5300 wrote to memory of 5396	5300	6f723cd9002531ad31487e588d1132bc.exe	165
PID 5300 wrote to memory of 5396	5300	6f723cd9002531ad31487e588d1132bc.exe	165
PID 5300 wrote to memory of 5420	5300	6f723cd9002531ad31487e588d1132bc.exe	167
PID 5300 wrote to memory of 5420	5300	6f723cd9002531ad31487e588d1132bc.exe	167
PID 5300 wrote to memory of 5368	5300	6f723cd9002531ad31487e588d1132bc.exe	168
PID 5300 wrote to memory of 5368	5300	6f723cd9002531ad31487e588d1132bc.exe	168
PID 5300 wrote to memory of 5448	5300	6f723cd9002531ad31487e588d1132bc.exe	169
PID 5300 wrote to memory of 5448	5300	6f723cd9002531ad31487e588d1132bc.exe	169
PID 5300 wrote to memory of 5472	5300	6f723cd9002531ad31487e588d1132bc.exe	170
PID 5300 wrote to memory of 5472	5300	6f723cd9002531ad31487e588d1132bc.exe	170
PID 5300 wrote to memory of 3832	5300	6f723cd9002531ad31487e588d1132bc.exe	177
PID 5300 wrote to memory of 3832	5300	6f723cd9002531ad31487e588d1132bc.exe	177
PID 3832 wrote to memory of 1788	3832	cmd.exe	179
PID 3832 wrote to memory of 1788	3832	cmd.exe	179

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
"C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\win\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msvfw32\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sensrsvc\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
  "C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\systemcpl\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\APHostService\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bfsvc\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\LockAppBroker\backgroundTaskHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dwmapi\backgroundTaskHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5820
- - C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
    "C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc140jpn\backgroundTaskHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\OfficeClickToRun.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Registry.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FCOKoWRi7b.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1788
    - - C:\PerfLogs\RuntimeBroker.exe
        
        "C:\PerfLogs\RuntimeBroker.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b012b550-e5e8-4955-a6b8-110d5837e4fd.vbs"
        6⤵
        
        PID:4720
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd04fa20-1d54-4950-9362-486c8d81f4e5.vbs"
        8⤵
        
        PID:3528
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caf5f333-f64c-48bc-a5ad-253b2c151abd.vbs"
        10⤵
        
        PID:2384
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\722e6512-eff5-4c11-93ce-a7d25b59d2d7.vbs"
        12⤵
        
        PID:2060
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\905f78ba-d488-4276-8236-8f48ddacbb6c.vbs"
        14⤵
        
        PID:5316
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\534bdabb-cb4b-41e5-af22-46655086bed9.vbs"
        16⤵
        
        PID:5088
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e54b9baf-e7af-40bd-822a-ba66f047ed4f.vbs"
        18⤵
        
        PID:1444
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6223626-6172-4be7-8d47-c22180cc1a2c.vbs"
        20⤵
        
        PID:2708
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        21⤵
        
        PID:5356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2973712e-858b-4fe7-a946-1197e834bdde.vbs"
        22⤵
        
        PID:5056
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        23⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27559b53-5963-4900-97ac-d72ae30d1ccb.vbs"
        24⤵
        
        PID:2852
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        25⤵
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e06cd0b-43db-4fb0-ae96-847d29757a69.vbs"
        26⤵
        
        PID:3236
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        27⤵
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657de74d-0d54-470e-9c9b-1d1e41b3c2a3.vbs"
        28⤵
        
        PID:3464
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        29⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91453f8a-5c60-427c-a41e-2cd7544f397c.vbs"
        30⤵
        
        PID:5900
        
        C:\PerfLogs\RuntimeBroker.exe
        
        C:\PerfLogs\RuntimeBroker.exe
        31⤵
        
        PID:5864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31cafffa-4677-459d-a602-e97e19549822.vbs"
        32⤵
        
        PID:392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d8515d-ba64-4773-b946-45850560e2f4.vbs"
        32⤵
        
        PID:5984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2adbc72-0129-4473-abca-72c95932263d.vbs"
        30⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541cdd0e-819d-46e1-a31d-be60ce80a6dc.vbs"
        28⤵
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe3a4fee-0003-4f4a-acf3-e9e68c5ed3af.vbs"
        26⤵
        
        PID:5376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2aa2ff0-a8d9-4ceb-b26f-dddcd4e15a0c.vbs"
        24⤵
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ffcc68-d2e7-4497-beef-7e73d0318f27.vbs"
        22⤵
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b45d4670-efe6-4830-ba22-ff1924ad7637.vbs"
        20⤵
        
        PID:5200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e7204d-138d-4397-b3bd-78561573b679.vbs"
        18⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7a0324f-bb85-4a8f-984b-49fafd60ec0e.vbs"
        16⤵
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ff57150-88d2-46bd-9982-44f80540c591.vbs"
        14⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66cb8055-89ae-488a-8b71-25344ab73433.vbs"
        12⤵
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8633529d-1904-40c8-b3f6-9dbd9590fe93.vbs"
        10⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e74509c1-c4f2-44c6-803c-39b593bb9970.vbs"
        8⤵
        
        PID:4728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\853f876a-a8b9-4c1f-921d-1df142f6f509.vbs"
        6⤵
        
        PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfigurationClient\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\win\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\msvfw32\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\sensrsvc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\systemcpl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\APHostService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bfsvc\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\LockAppBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\dwmapi\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\mfc140jpn\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Installer\{49841001-DB8F-3FB2-9151-0FD8A01B687A}\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\wininit.exe

Filesize
1.1MB

MD5
f6e8d60f3ac39908bdae6970878e7ab2

SHA1
37ccfe357a72d15a918ea0d3c4bd6d9d6b824a8d

SHA256
d8ba167dd8f1f966cfc5bc8311d7953dca0f9eb83732bba2bb8fea12cc523ad9

SHA512
3c91f48d01d79dc0475d8a51a0dabb4014cc5c6d10ee70dd07b32c78c5a6017ef6efa67a52f4c42227d56c563bb86bf4af7184e3d00005076d0ccb6a6c7c3871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6f723cd9002531ad31487e588d1132bc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
09c38bf09493920e93b25f37f1ae4efe

SHA1
42e5d800056f08481870c4ca2d0d48181ca8edc8

SHA256
37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

SHA512
91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acb0e0db180c73954955309f90c91376

SHA1
c27f2c17cfa4fd4a92174eb548aacf6606814cf4

SHA256
10c4266a001dde473f229f0ad24a3ba938d703f7c80debe52f6f49d3441cc849

SHA512
6fffb653f2da467d9d0cec17d2a39c6bd89321c5193a093547f20af70f7f74800045273860165543779a9298c9bbace104f8710bc1557ff9a31d6cbec3a298fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5fada736af27ab22d5e094bdb95102b0

SHA1
1f85d64684a657e88b138cfb7b3a51f472beb91f

SHA256
108d03e081aaef766e8052ffe6188c97e0ff663cc73516bc632aacb874b8876c

SHA512
9f9fecf23c0678eda9c19941f6565a1dd50185b86241a84a10b170c320d0d9f8e9187fc6c141e37d6e137167868df6f8838dac99cbfe44ac117aed605027873a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
059e5f0f77d3e99c8872915337444e20

SHA1
4e98080250f6e1686a56063d5c93274dee64db69

SHA256
74b4e76a16a85451ce9239d063a8edf263cd27f8ecdc77cfc6cccbcb407929cb

SHA512
f0377c8366235a167d9580106a5ef934ae86b4db01f68f6d0ced478a7490fad7a605f5ac02e73fd5130db9f33b3825c2a5ed0a0c220dcb7d7069bcf29db8b0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67668db6b58b27a901b0f39b4ecc4860

SHA1
53d610904acc243780be1f91773475bfa7cfd6ee

SHA256
1c7238f064efd555bf174b09b470b5c4126da5681efc8a8889e139a74f472ed4

SHA512
9cdb241e1e66da3cc2fa7d749d888f30d4c88e9e7f705ebb5b346dc6e831eae96503d2269f560099f67a25c91a67d9b2cbf414d6c5d4aeed5fd2506e1f89af41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9446ef672d3463e7b439f707593e5ffe

SHA1
4a41dd5e38cd2b7079546abc1dcfa20422501f0e

SHA256
4b0867e74444bffede3cad101624184ed1e2ece2bc31dd051267a914a633fc07

SHA512
d57a9e08549a28cf19834be0133b6f75973f34f3c8c85ee187bf1a47167dec8ac70e92d910666311d9882a501e37a37fd63706c9ee9570c6dd041e7eaf336739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f375b35483444df78eeea1c6994ff183

SHA1
09871cd2502a0315f736217cd3c73f9c27d2b41b

SHA256
b0992eccb3bca8d2f6c8243fd82b8fa0dd0f977ec61e913277667aef082cd2c0

SHA512
b708ce4c74980cdfb8f4278e446f837b3a4c8f4c8a5381acba954add69201f67451d21bf1b2fec15df28cb72fcc6fceaeedd4305fc0d9487db9c1e22460e4353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\534bdabb-cb4b-41e5-af22-46655086bed9.vbs

Filesize
704B

MD5
5e2e4c2b0de3ea56fbbcfed0dcfd1c14

SHA1
868e606c855ec3fb2c7bcc5041e0fda987dc998a

SHA256
636525696488e543109c0daf27f588b079a307aac93ad08803b3d8b038b3c083

SHA512
d90e19292e20b9163c8ccae29609c4c7824cdd3a2b25350ba019c2a45fbd27bad4e47f3b26989e8a880e3c14a001118d6b5981fcd64d7ea35fe09c22360a9082

Download Submit
C:\Users\Admin\AppData\Local\Temp\722e6512-eff5-4c11-93ce-a7d25b59d2d7.vbs

Filesize
705B

MD5
24ec09a3600b5f2120bcdd254ab8bcd6

SHA1
1722252eb9e56b00170bb9aeadf31065a61b5910

SHA256
b6821f539d0989ab8cab5abf7c3464050e6fcc3de35ad3e9290ce0292ca2a1ec

SHA512
7441f9bf78a6886605201f59f12b445a2b597917a45001ac6cfd8a54f1fea6418882b60d2af8dc578ba722a8b48bb1641c79dfe96a8208c9d880ef847e5dbd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\853f876a-a8b9-4c1f-921d-1df142f6f509.vbs

Filesize
481B

MD5
1debd1008979aadd8ca1babb199a69a4

SHA1
47f3be169bacd5d7ddeff6d4463982bef55ebd2c

SHA256
4b34cb1a3418f0f3d3d85902ee18b78c01bd9611e66c37549dba41e2e3616591

SHA512
61691e09019cd96f4bcbfba9e30906395cc259ea1ee774e9a54f426b2721b6718a73e72127949890febc9dfa5d79fdfecb86ef1fa5c5dac2a6b712a70a077634

Download Submit
C:\Users\Admin\AppData\Local\Temp\905f78ba-d488-4276-8236-8f48ddacbb6c.vbs

Filesize
705B

MD5
b8a9772d3ef9fde1b8acac658e07dd09

SHA1
09e6e394e2d2dc885ab2367148cdfd0450c9d0f7

SHA256
9b83dc8a9595e32b01403577dc346bae8fe9019867fcc9e9be57b19e53e4c607

SHA512
622d0279667c7d5da3525dd8c03892afd8d34f844b48b413ba9823ba46161b49b5a2a3b7d297c9832c235c11216d920612c6083c59ffe2865ed1379624bd45e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCOKoWRi7b.bat

Filesize
193B

MD5
71d07c6a4bbad09af40ea6394bd26add

SHA1
a4ba8842fcd8eb56cfe8ec3885953c25fa71ed41

SHA256
d9f8189efca1c7fe445729709103eb731ec8eafc3d1cc3ef2a7994dcededaa13

SHA512
83e2ae88c827a2ef0e8d10170b228b748a8a6bcd5fe9eaeab259e7b293b4329f1d83cd9e5c455f4f7bdece5dd5443acee072fad4aca250900a3100a74de6a69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckcptfzx.oom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b012b550-e5e8-4955-a6b8-110d5837e4fd.vbs

Filesize
705B

MD5
7a57cf3d92b318956d961cef998fb038

SHA1
4f9f9ad21dbb0e55bdba5cba5c81feb9a93f167d

SHA256
ade50ab9e09307fad321528cefc9f6c6d10e3e96f91084fe9312a4a852a739b9

SHA512
85c40659b7e2731ac5f61aced772f802d63055f3f4ae76edd2ec87df4d2e30132f73ab6727c1bda411d0834cb474a1440d6acb81ccfaa9597b49f113e7ba6110

Download Submit
C:\Users\Admin\AppData\Local\Temp\caf5f333-f64c-48bc-a5ad-253b2c151abd.vbs

Filesize
705B

MD5
608ad3989959fece5865c393f01e013b

SHA1
3c598a97d14ffe2495aca77d16b1e37a06b9c88c

SHA256
bcf2f8e649fcbac23287c15e4efa91d0254a56bdafc34a17f823a5a0080733bf

SHA512
5fb8d93d3fc15fadfc68de2e429769d7755fb0f8f6411a9855f9bd4bec5cbf7263b1a8dc7a9a6c0be6a95f5abbb6d98ce9376212aa6ae6852d0dfe65b1624321

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd04fa20-1d54-4950-9362-486c8d81f4e5.vbs

Filesize
705B

MD5
73c62ce3cdd95da6379254cfe8767b2b

SHA1
d80a3ab73e738e8c9bd657d0f279ada2e5a8807d

SHA256
66f0cdbf32bac522af36fb8c872bdd1ff9f61ce90e18871859b65138babc4ffb

SHA512
9ce484186c74ddd58dd788822a6192241722d789ac4bd9776003371b94072443131f6e665caf335a7c92789b774ffaa63119164d7da74296ec6ba30d91e524dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e54b9baf-e7af-40bd-822a-ba66f047ed4f.vbs

Filesize
705B

MD5
2128f315a8779803b57286691cf68fbb

SHA1
f7325e9f54e328a77e8e820aee2391d5e33f6b1e

SHA256
4d2a7e7d44f7be861c165cae61181ce722ab571a7e08edeb8c842ab787aeee8a

SHA512
aa785b7a0ad41a639a28a4d45f2d3bf856365fa01c89c212c25b1c3e9342d8ec4166a4ad805a08b74c49a580fa78faf2d3225d5f770b97f1352286d9ca590e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
696B

MD5
57f1f4f3448005ae8d128751d926371a

SHA1
7488700073e2bbbb34403debe10399f94a22d3ba

SHA256
7002f737892e18654f6db7852734a69460a3e2355b7b48cf83d5b99e323c7ead

SHA512
1b1ba46c4db93b5fd1f92e14502b2c3937586466ea765cf66bec0b2c29bd8d035475adf4ba0e6b0c4749a00379dfdc595165928ac2563c573b0562791ad4db84

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
512B

MD5
b86b2475f3c886b0ee97fdc400911728

SHA1
c334bfc85ba7acae06d39ebfbbb43845b9ef12f5

SHA256
84d91cda8b33afb63803efa6d5e347b4c620926ae96afbf98250faa05925dec2

SHA512
af03d7498dc9854e02aface6aef9eb50b904fae57d677addad605e96bb4181d15fc18cca3db4d11a9e3d9accce41914f1e4939f5dd5254f963916a6761a5af86

Download Submit
C:\Windows\win\sysmon.exe

Filesize
1.1MB

MD5
6f723cd9002531ad31487e588d1132bc

SHA1
c794aab74ea0c76d1c077ca87d175014bc76f0f5

SHA256
c9206100b2d07324c79a83cb515893a79d39a1de3a6dac7a72a7b167c41b6910

SHA512
198154faa272369a965747852699d562c43622f9fbe94daf2cd4d62c63e64f7c542904e582f074f57843fb35e5db500149ee58c1826d733688e54eb6da6ad5a2

Download Submit
C:\d9c22b4eaa3c0b9c12c7\csrss.exe

Filesize
1.1MB

MD5
0504239df5b06c69842a6eb00cd2a5f7

SHA1
29af6026b2e124355fd95ef967afe0c27d77d8a3

SHA256
8286d4cdd75a10de73cef771137b2609f59d299ff96ecfd2b6de1d8f1ce1872c

SHA512
50f00191e442a17fb0cde01eed78b6b1a496292de0dfb68aab9e0acbcb2c3c16a917008df15fd41cb4b1013a66e082816d9030b86be110fb6850d1cb3a531e96

Download Submit
memory/732-132-0x0000025EB5080000-0x0000025EB50A2000-memory.dmp

Filesize
136KB

Download
memory/3844-237-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/4356-17-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/4356-5-0x0000000001770000-0x000000000177C000-memory.dmp

Filesize
48KB

Download
memory/4356-233-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-232-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-121-0x00007FFA59893000-0x00007FFA59895000-memory.dmp

Filesize
8KB

Download
memory/4356-25-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-24-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-21-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/4356-13-0x0000000003040000-0x000000000304A000-memory.dmp

Filesize
40KB

Download
memory/4356-20-0x000000001BB80000-0x000000001BB8C000-memory.dmp

Filesize
48KB

Download
memory/4356-12-0x0000000003030000-0x0000000003038000-memory.dmp

Filesize
32KB

Download
memory/4356-236-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-2-0x00007FFA59890000-0x00007FFA5A351000-memory.dmp

Filesize
10.8MB

Download
memory/4356-14-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/4356-18-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/4356-1-0x0000000000D70000-0x0000000000E84000-memory.dmp

Filesize
1.1MB

Download
memory/4356-0-0x00007FFA59893000-0x00007FFA59895000-memory.dmp

Filesize
8KB

Download
memory/4356-11-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/4356-8-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/4356-15-0x000000001BB40000-0x000000001BB4A000-memory.dmp

Filesize
40KB

Download
memory/4356-9-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/4356-10-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/4356-6-0x0000000001780000-0x000000000178A000-memory.dmp

Filesize
40KB

Download
memory/4356-7-0x0000000001790000-0x000000000179C000-memory.dmp

Filesize
48KB

Download
memory/4356-16-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/4356-3-0x0000000001740000-0x0000000001748000-memory.dmp

Filesize
32KB

Download
memory/4356-4-0x0000000001750000-0x0000000001762000-memory.dmp

Filesize
72KB

Download
memory/5300-386-0x0000000002140000-0x0000000002152000-memory.dmp

Filesize
72KB

Download
memory/5756-510-0x000000001C740000-0x000000001C752000-memory.dmp

Filesize
72KB

Download