dcrat | d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Size

1.1MB
MD5

66c9a250fe9e60c4df2c9a157ae39211
SHA1

cabc35fd42f4534f5e05b5b9bd65dcfc85e469a7
SHA256

d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd
SHA512

1439934414be0b92acf1b51e6b3ba0a1ad296b879361f42fc557b740bde42204515bbbccfe5e9c74b702caf786c201ececee76bc5841618560f56de047c9cdc8
SSDEEP

12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe\", \"C:\\Windows\\System32\\fhevents\\dllhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe\", \"C:\\Windows\\System32\\fhevents\\dllhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\wininit.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\", \"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5340	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	232	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	232	schtasks.exe	87

UAC bypass 3 TTPs 48 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
2028	powershell.exe
3756	powershell.exe
5516	powershell.exe
5172	powershell.exe
2632	powershell.exe
468	powershell.exe
4500	powershell.exe
5536	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
684	RuntimeBroker.exe
5176	RuntimeBroker.exe
5924	RuntimeBroker.exe
764	RuntimeBroker.exe
1292	RuntimeBroker.exe
4264	RuntimeBroker.exe
3692	RuntimeBroker.exe
4468	RuntimeBroker.exe
4532	RuntimeBroker.exe
1072	RuntimeBroker.exe
3304	RuntimeBroker.exe
3488	RuntimeBroker.exe
2140	RuntimeBroker.exe
4776	RuntimeBroker.exe
1672	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd = "\"C:\\4d7dcf6448637544ea7e961be1ad\\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd = "\"C:\\4d7dcf6448637544ea7e961be1ad\\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\fhevents\\dllhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Windows.CloudStore\\taskhostw.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\4d7dcf6448637544ea7e961be1ad\\wininit.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Videos\\RuntimeBroker.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\cliegaliases\\unsecapp.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxManifest\\StartMenuExperienceHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\fhevents\\dllhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\4d7dcf6448637544ea7e961be1ad\\wininit.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\Application Data\\backgroundTaskHost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\fhevents\5940a34987c991	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\Windows.CloudStore\RCX9AF9.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\wbem\cliegaliases\unsecapp.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\fhevents\dllhost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\Windows.CloudStore\taskhostw.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\wbem\cliegaliases\unsecapp.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\wbem\cliegaliases\RCX9F12.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\fhevents\RCXA734.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\Windows.CloudStore\taskhostw.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\Windows.CloudStore\ea9f0e6c9e2dcd	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\wbem\cliegaliases\29c1c3cc0f7685	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\fhevents\dllhost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\55b276f4edf653	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\RCXA126.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3872	schtasks.exe
2672	schtasks.exe
4048	schtasks.exe
5340	schtasks.exe
3140	schtasks.exe
2356	schtasks.exe
4172	schtasks.exe
5212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
5536	powershell.exe
5536	powershell.exe
3756	powershell.exe
3756	powershell.exe
5172	powershell.exe
5172	powershell.exe
5516	powershell.exe
4500	powershell.exe
4500	powershell.exe
5516	powershell.exe
2028	powershell.exe
2028	powershell.exe
468	powershell.exe
468	powershell.exe
2632	powershell.exe
2632	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
4500	powershell.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
3756	powershell.exe
5536	powershell.exe
5172	powershell.exe
5516	powershell.exe
2028	powershell.exe
2632	powershell.exe
468	powershell.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
684	RuntimeBroker.exe
684	RuntimeBroker.exe
684	RuntimeBroker.exe
684	RuntimeBroker.exe
5176	RuntimeBroker.exe
5176	RuntimeBroker.exe
5176	RuntimeBroker.exe
5176	RuntimeBroker.exe
5176	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	684	RuntimeBroker.exe
Token: SeDebugPrivilege	5176	RuntimeBroker.exe
Token: SeDebugPrivilege	5924	RuntimeBroker.exe
Token: SeDebugPrivilege	764	RuntimeBroker.exe
Token: SeDebugPrivilege	1292	RuntimeBroker.exe
Token: SeDebugPrivilege	4264	RuntimeBroker.exe
Token: SeDebugPrivilege	3692	RuntimeBroker.exe
Token: SeDebugPrivilege	4468	RuntimeBroker.exe
Token: SeDebugPrivilege	4532	RuntimeBroker.exe
Token: SeDebugPrivilege	1072	RuntimeBroker.exe
Token: SeDebugPrivilege	3304	RuntimeBroker.exe
Token: SeDebugPrivilege	3488	RuntimeBroker.exe
Token: SeDebugPrivilege	2140	RuntimeBroker.exe
Token: SeDebugPrivilege	4776	RuntimeBroker.exe
Token: SeDebugPrivilege	1672	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 468	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	98
PID 2516 wrote to memory of 468	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	98
PID 2516 wrote to memory of 4500	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	99
PID 2516 wrote to memory of 4500	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	99
PID 2516 wrote to memory of 2024	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	100
PID 2516 wrote to memory of 2024	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	100
PID 2516 wrote to memory of 5536	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	101
PID 2516 wrote to memory of 5536	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	101
PID 2516 wrote to memory of 2028	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	102
PID 2516 wrote to memory of 2028	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	102
PID 2516 wrote to memory of 3756	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	103
PID 2516 wrote to memory of 3756	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	103
PID 2516 wrote to memory of 5516	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	104
PID 2516 wrote to memory of 5516	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	104
PID 2516 wrote to memory of 5172	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	105
PID 2516 wrote to memory of 5172	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	105
PID 2516 wrote to memory of 2632	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	106
PID 2516 wrote to memory of 2632	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	106
PID 2516 wrote to memory of 684	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	116
PID 2516 wrote to memory of 684	2516	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	116
PID 684 wrote to memory of 6136	684	RuntimeBroker.exe	117
PID 684 wrote to memory of 6136	684	RuntimeBroker.exe	117
PID 684 wrote to memory of 112	684	RuntimeBroker.exe	118
PID 684 wrote to memory of 112	684	RuntimeBroker.exe	118
PID 6136 wrote to memory of 5176	6136	WScript.exe	123
PID 6136 wrote to memory of 5176	6136	WScript.exe	123
PID 5176 wrote to memory of 3604	5176	RuntimeBroker.exe	124
PID 5176 wrote to memory of 3604	5176	RuntimeBroker.exe	124
PID 5176 wrote to memory of 5444	5176	RuntimeBroker.exe	125
PID 5176 wrote to memory of 5444	5176	RuntimeBroker.exe	125
PID 3604 wrote to memory of 5924	3604	WScript.exe	128
PID 3604 wrote to memory of 5924	3604	WScript.exe	128
PID 5924 wrote to memory of 4404	5924	RuntimeBroker.exe	129
PID 5924 wrote to memory of 4404	5924	RuntimeBroker.exe	129
PID 5924 wrote to memory of 5992	5924	RuntimeBroker.exe	130
PID 5924 wrote to memory of 5992	5924	RuntimeBroker.exe	130
PID 4404 wrote to memory of 764	4404	WScript.exe	132
PID 4404 wrote to memory of 764	4404	WScript.exe	132
PID 764 wrote to memory of 5568	764	RuntimeBroker.exe	134
PID 764 wrote to memory of 5568	764	RuntimeBroker.exe	134
PID 764 wrote to memory of 3960	764	RuntimeBroker.exe	135
PID 764 wrote to memory of 3960	764	RuntimeBroker.exe	135
PID 5568 wrote to memory of 1292	5568	WScript.exe	138
PID 5568 wrote to memory of 1292	5568	WScript.exe	138
PID 1292 wrote to memory of 4632	1292	RuntimeBroker.exe	139
PID 1292 wrote to memory of 4632	1292	RuntimeBroker.exe	139
PID 1292 wrote to memory of 2984	1292	RuntimeBroker.exe	140
PID 1292 wrote to memory of 2984	1292	RuntimeBroker.exe	140
PID 4632 wrote to memory of 4264	4632	WScript.exe	141
PID 4632 wrote to memory of 4264	4632	WScript.exe	141
PID 4264 wrote to memory of 4780	4264	RuntimeBroker.exe	142
PID 4264 wrote to memory of 4780	4264	RuntimeBroker.exe	142
PID 4264 wrote to memory of 4804	4264	RuntimeBroker.exe	143
PID 4264 wrote to memory of 4804	4264	RuntimeBroker.exe	143
PID 4780 wrote to memory of 3692	4780	WScript.exe	144
PID 4780 wrote to memory of 3692	4780	WScript.exe	144
PID 3692 wrote to memory of 1868	3692	RuntimeBroker.exe	145
PID 3692 wrote to memory of 1868	3692	RuntimeBroker.exe	145
PID 3692 wrote to memory of 5904	3692	RuntimeBroker.exe	146
PID 3692 wrote to memory of 5904	3692	RuntimeBroker.exe	146
PID 1868 wrote to memory of 4468	1868	WScript.exe	148
PID 1868 wrote to memory of 4468	1868	WScript.exe	148
PID 4468 wrote to memory of 1164	4468	RuntimeBroker.exe	149
PID 4468 wrote to memory of 1164	4468	RuntimeBroker.exe	149

System policy modification 1 TTPs 48 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
"C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.CloudStore\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\cliegaliases\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Application Data\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fhevents\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Users\Default\Videos\RuntimeBroker.exe
  "C:\Users\Default\Videos\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcfd0816-d86c-444e-98d1-d2ad2bf0250f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6136
  - - C:\Users\Default\Videos\RuntimeBroker.exe
      C:\Users\Default\Videos\RuntimeBroker.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5176
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdb9035-7e07-4589-9793-fe40a30df421.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dc89b5c-630f-4a79-bbae-043779124c28.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85945b9f-6ebc-4201-8811-5955e7a0099b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5568
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3744ef49-7614-4602-bd92-a57ee8a95dbb.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068d1b72-30e8-439b-b011-7722239c81ba.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f78f617d-896a-49db-99fc-96ff6403a4bb.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a74561b0-ca0c-480b-9e7d-9283c79994bf.vbs"
        17⤵
        
        PID:1164
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1973c7f8-e7e2-42a7-ae30-e8fb4aa41ddc.vbs"
        19⤵
        
        PID:2528
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afca9ffa-f15b-4d9d-ae6f-bd370cd0a541.vbs"
        21⤵
        
        PID:5188
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\055ec3a3-0999-4b4a-8d63-85c8ea9d6b35.vbs"
        23⤵
        
        PID:1824
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f3a5c36-756d-43d6-84e8-6a000933c0c5.vbs"
        25⤵
        
        PID:2672
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3069210-918a-487e-b471-5e68ccbbf7b5.vbs"
        27⤵
        
        PID:5972
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dda2cb6-e8b7-4a6a-b186-71e366f0458a.vbs"
        29⤵
        
        PID:4880
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        
        C:\Users\Default\Videos\RuntimeBroker.exe
        30⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22747ab6-e1bc-4e35-8549-7e4c5ecced81.vbs"
        31⤵
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ec3a5e-85ca-4231-bd32-c7b72531566e.vbs"
        31⤵
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afce8600-98cf-4727-873e-3914651d4bec.vbs"
        29⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\767bc45f-fcac-485d-8400-9b0f5ddddd04.vbs"
        27⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15488a99-3254-4cbc-9d6b-93e4f3c3ae73.vbs"
        25⤵
        
        PID:6076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8da6d554-cba5-4b17-93d1-fe8aaf590490.vbs"
        23⤵
        
        PID:5672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cf5933-7b02-4078-8305-dd8ea687748f.vbs"
        21⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f46c8b3-a62d-4c10-a3e1-4f8ee001609c.vbs"
        19⤵
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b985c238-fcd0-4fe3-868a-8dd139ff40b8.vbs"
        17⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\003fb903-87ae-4035-8d8c-27cd92b2c8ce.vbs"
        15⤵
        
        PID:5904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\655d3be9-e562-409f-a54f-e859d1f3d3ae.vbs"
        13⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6405f829-2a4d-4363-b11a-e760ef241d0d.vbs"
        11⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2a013a8-e0b8-4e57-97c4-26876461e701.vbs"
        9⤵
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab6d0282-3e3b-4530-a08e-520b59cea4e5.vbs"
        7⤵
        
        PID:5992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98ca8b2a-4bd5-49dd-95aa-99dcb47263da.vbs"
        5⤵
        
        PID:5444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f64d110-487f-45b7-8620-8e24345c329a.vbs"
    3⤵
    PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\Windows.CloudStore\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\cliegaliases\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxManifest\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\Application Data\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\fhevents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\backgroundTaskHost.exe

Filesize
1.1MB

MD5
66c9a250fe9e60c4df2c9a157ae39211

SHA1
cabc35fd42f4534f5e05b5b9bd65dcfc85e469a7

SHA256
d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd

SHA512
1439934414be0b92acf1b51e6b3ba0a1ad296b879361f42fc557b740bde42204515bbbccfe5e9c74b702caf786c201ececee76bc5841618560f56de047c9cdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69ced0a44ced088c3954d6ae03796e7

SHA1
ef4cac17b8643fb57424bb56907381a555a8cb92

SHA256
49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

SHA512
15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b25365534f6e80f784bf0e0d4059973

SHA1
c599ef0f1d9ba1265eeb3bb02db8ea30eebee19c

SHA256
ea3d1a91d3248163412b2df35c0fcafbdc2ad4754c82e202b8f3b142af2b760c

SHA512
96deef1eba434a1784105a51888ca0cedd460bf05743e91e06a2b3dfff690099a5c3aad8b15297d3f84a10d8ddc24cfafa622217139ac1356fe40f18fd410c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a1e48b8d7963bbbb73f442cd864dca3

SHA1
7f71e6af810a734d5f6a0c3ba90c171442e7e334

SHA256
33f70a94f53d11ebf2ea52debe0eb6afd7b30a095b31e784b0d4a0fb42b708e9

SHA512
26599ce4722f735e1b19f8b68d82318978d577245530e23f5445330dbccb395ffff4e6c4020cdeada5b179b94b557a3e093c2dbe5606b1b6956c1f73a91f637e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\055ec3a3-0999-4b4a-8d63-85c8ea9d6b35.vbs

Filesize
717B

MD5
169557780f4e6fce4eb55b02478f322c

SHA1
36ef5107a92afc28b7026ff255adf5c8cb8b69dc

SHA256
6864745ff3e12fe81dffe131cec362fae9cb2dc8c7c9d85499a2dcc73d55d5dd

SHA512
c54b739fe98f5d545cb54374ddf1cc0f6c65b0fd8e34bc98710277a9312d9a4998cf079ecb9c607695440be77cd5c672c3ef2f74dd798ccca31e70a169cc91de

Download Submit
C:\Users\Admin\AppData\Local\Temp\068d1b72-30e8-439b-b011-7722239c81ba.vbs

Filesize
717B

MD5
7211c41d75bfe651c05f045dc0e93de6

SHA1
d0d10f34dbcdd2751132c036a0a5ec2c3e8a12c9

SHA256
ee79c43265436d1c679d9167411c0504c4cc9f26a961d819b83b19c183f3140b

SHA512
ee6c6085971088453e15e3e1a5a9cc8d65a9b0cd08060281a45481917eb899e0e8c2fe2246fba2dc0516a225add504266285ba303a6d18618a6f6a5b9aa65d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\1973c7f8-e7e2-42a7-ae30-e8fb4aa41ddc.vbs

Filesize
717B

MD5
77563eb65388ff66ede0e7fcfca7d1e4

SHA1
ffeb0a7298ebabd9f93273551b8e5d2de4faa82b

SHA256
0700183f5006685f971e717d97b1ca87c9197e9720216069e67e89858b149e14

SHA512
05034c28de7e3cd8ff1d4e137ef84c5e9e33b054d81cffb0e8ddf9ca4cf19b50a205c8d997b7e2d1e3ef5bddb9de92717a3f0dc76da7f4eeadd86211fa530afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3744ef49-7614-4602-bd92-a57ee8a95dbb.vbs

Filesize
717B

MD5
de18bde204bb45f020d9810bf229e79c

SHA1
979e2ac92292032add1375bb7b0d3632c7452e36

SHA256
4b4ac669d06f9abde57118113c49d6d2cffbc45b38fefb8176cd8c0829d39efa

SHA512
3e659b26ff15e34158aac10d5e9d53281bf541d47d935e91434a8f32a14f008585d496d169a4a6f6a6c9c10898a3091bf0db7bf442f1b6070e4eed2545fd59cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dc89b5c-630f-4a79-bbae-043779124c28.vbs

Filesize
717B

MD5
1904a0825cdf84de97f2bc57aca3d947

SHA1
3c1b46d618a935d4cb658da269848a8705771502

SHA256
b113c54f3072b43dddf36256fface1e9ed5b65e3b492fd319e4785f4743bec57

SHA512
e6abc5dc0aca47c15027a6531e8d924d3497b829e49c7535e77b236ffe91fb638accc99451fc266d56c1ebbae66f74b2a7fc00e8a7ce26db75f358f13cdca6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f64d110-487f-45b7-8620-8e24345c329a.vbs

Filesize
493B

MD5
522a5cef6d0bf85a49c1c27cbc9821b1

SHA1
86ff620ecf64b73cf3152f0066ee10e7af98a68d

SHA256
4d4108eb12b6683cd94b98d6326fbc4efe86c7086bb681454980fe6d8c12d7f1

SHA512
87b64efda4eb21812b3806b0db1e2436d935aa14c392068c703f159a5eb38fa0c15910b50d233b79ff6e7531a8cd78a52c243e433094789a3cc1a44f33a44a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f3a5c36-756d-43d6-84e8-6a000933c0c5.vbs

Filesize
717B

MD5
c687d4a3aad4d1d89e3451a1cae0924a

SHA1
5437ea83927a003760d908cfa86ea244e3f8adae

SHA256
da1b49c5a091651ae4ce65c3ae1726d6ef6bd859037d9f80160e817bc8cf473e

SHA512
d9e01a265bf17d50d2bce55373912fcf95d44cb0ae32034c5d1ba6998510945ba62126cfb10bbd6f42a0e76b2f035db8959f8e150760979c9d0cb73cd18962d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\85945b9f-6ebc-4201-8811-5955e7a0099b.vbs

Filesize
716B

MD5
88fc1852e66111350e607107037ba828

SHA1
73a3d138751d5968fe66a9af1b5172cca3a3cc4d

SHA256
eddcc42b02bdfc627ad665b7f19c67d49ddcb545ea6f4a6c0c3c66c9fdae448b

SHA512
73ffd128ad0687a841c65ddcadc9a2ca872bb1bc49a0fae8bb7bad366c4aa809f9c7407f17e28c9f5e4ce080d65e999781585403984f23826906b974a4014715

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jg1f5god.emx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a74561b0-ca0c-480b-9e7d-9283c79994bf.vbs

Filesize
717B

MD5
f9c2406b4dbc81e40cc63562c7a84911

SHA1
9a5c302bac96c7af0ea3458da8abca69387d628d

SHA256
47ef827af462f1a3dc764c06adad08eff1472c9cfb62384e53d3d0876bc1debc

SHA512
1ddf800c92e3f6fdf02ba1d8bc28b6c5fa7bc6e69c49d2e5504c91151b17452036a1b6579216ad6a2d64920c934fe02b53900930a27f932e3576feab7340986e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afca9ffa-f15b-4d9d-ae6f-bd370cd0a541.vbs

Filesize
717B

MD5
7d53da59725ac932cc2b6182d685a46f

SHA1
f37794c3b18a920689621f000b56e9d0f87bc5a6

SHA256
bfea12bb9b17b0155dde4daa2c8657e52def200f44fc621b7d25b8601bc5338c

SHA512
a7e47eec01141499ff1e8dcaf7b972db85130c3bd347b032b2552fef0f2f37e1fabe51f99a396d4c98f405a6466197664bca83024dbe358c16832945b08a54ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3069210-918a-487e-b471-5e68ccbbf7b5.vbs

Filesize
717B

MD5
90e11f8c9e06c9ad06657c4c73666f51

SHA1
14731693a274d92d09ca9bbbeb325d75737d3c69

SHA256
7cda714cdf4bf88734f9b54015b34d026a9661d481c76f1537e6b1f976c3acf1

SHA512
63abb6fcc4df2c9590ac15f84071cbce37176240dea178cea949d96926f39fd591d0f15b8fe9284ef358e8880948bac70a4674295e791991b5073130b985d5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcdb9035-7e07-4589-9793-fe40a30df421.vbs

Filesize
717B

MD5
1364c900644d497842f2720c729c3245

SHA1
bb45dce2b1f00f6162b1abd75af740803c8ef851

SHA256
bf2327f5c4a44f5df33e82760fcf6222a684e6057464a79e8f9d03dedfd45ffc

SHA512
3dfa0644332997a78ca6fe52c5bae4c624a97fa9dc4a4958ccee67be8dac3609ab81c59fb8c2ae51eab76831f20bdeb775a44adf36f319b46f10bfaf9e46be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcfd0816-d86c-444e-98d1-d2ad2bf0250f.vbs

Filesize
716B

MD5
9397dd4625d5c392a51c98ef2884c384

SHA1
50e96db69c8cdca1098fe5347b4d9e757d5048c9

SHA256
2d404e9b2ade52c3aff871ce240fa73a350d818fc6c1df1cdc3d1581e644e7d6

SHA512
a3d46a2e43a37253fceb3f95a3114246eecfa9569209e408e65f916cf6511e6c94966801bfb87beae5c30be92ca13e3a582f8daf404e5f6cfa62ddecc1bb2bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f78f617d-896a-49db-99fc-96ff6403a4bb.vbs

Filesize
717B

MD5
29c9a95f80e99e1bc24567ea7f93b6a9

SHA1
89fb4fb3b940a34c55a5d2ef4565df14a99088f0

SHA256
bed30ba8ea51e4b545a67db0ffb8fb8a28687e4c1658c53d1f93f3db815031e8

SHA512
2bb83cac74f246217f02d060d235a2439c4b04a903fe95d3b01b609302a26309aa954854d9803352b12cf5444dfdbc054062fd2c83b1bb5df06a0066563cad19

Download Submit
memory/684-269-0x000000001CCE0000-0x000000001CD15000-memory.dmp

Filesize
212KB

Download
memory/2140-395-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2516-11-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/2516-6-0x0000000002F40000-0x0000000002F4A000-memory.dmp

Filesize
40KB

Download
memory/2516-18-0x000000001C170000-0x000000001C178000-memory.dmp

Filesize
32KB

Download
memory/2516-17-0x000000001C160000-0x000000001C16C000-memory.dmp

Filesize
48KB

Download
memory/2516-16-0x000000001C150000-0x000000001C158000-memory.dmp

Filesize
32KB

Download
memory/2516-15-0x000000001C140000-0x000000001C14A000-memory.dmp

Filesize
40KB

Download
memory/2516-13-0x000000001BB10000-0x000000001BB1A000-memory.dmp

Filesize
40KB

Download
memory/2516-239-0x00007FFC1A410000-0x00007FFC1AED1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-14-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/2516-21-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/2516-25-0x00007FFC1A410000-0x00007FFC1AED1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-1-0x0000000000D60000-0x0000000000E74000-memory.dmp

Filesize
1.1MB

Download
memory/2516-0-0x00007FFC1A413000-0x00007FFC1A415000-memory.dmp

Filesize
8KB

Download
memory/2516-2-0x00007FFC1A410000-0x00007FFC1AED1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-12-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/2516-10-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/2516-9-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/2516-8-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/2516-24-0x00007FFC1A410000-0x00007FFC1AED1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-20-0x000000001C180000-0x000000001C18C000-memory.dmp

Filesize
48KB

Download
memory/2516-7-0x00000000030D0000-0x00000000030DC000-memory.dmp

Filesize
48KB

Download
memory/2516-5-0x0000000002F50000-0x0000000002F5C000-memory.dmp

Filesize
48KB

Download
memory/2516-4-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/2516-3-0x0000000002F20000-0x0000000002F28000-memory.dmp

Filesize
32KB

Download
memory/5176-272-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/5536-153-0x0000021DF2540000-0x0000021DF2562000-memory.dmp

Filesize
136KB

Download
memory/5924-284-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download