dcrat | c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Size

2.5MB
MD5

587e1d2473fea9284918bfbcf9897de2
SHA1

25dc1703e07cc5cc890238cc18d0199effab86be
SHA256

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28
SHA512

1e7313c16f84e618b9d9cea644d95b34cdb339830c5354354f126b85e8772994302abe5d7a2554e62898fb36d38f03c90b012e4060b69f57ce35806e975522fc
SSDEEP

49152:4sg2eGAIciUHLJPXf0fo+goVM6EztdiHGEgE7YsOlTvtq9hzDzqv:4FLHLJPPI9ErnvaYzlAfDzq

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4908	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4908	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3196-1-0x0000000000BA0000-0x0000000000E30000-memory.dmp	dcrat
C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	dcrat

Detects executables packed with SmartAssembly 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3196-8-0x00000000017E0000-0x00000000017EA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3196-19-0x000000001BBE0000-0x000000001BBEA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3196-15-0x000000001BB80000-0x000000001BB8A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3196-12-0x0000000003170000-0x000000000317C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3004	powershell.exe
4248	powershell.exe
5012	powershell.exe
4280	powershell.exe
3268	powershell.exe
1764	powershell.exe
4792	powershell.exe
3408	powershell.exe
456	powershell.exe
3732	powershell.exe
3132	powershell.exe
1088	powershell.exe
2972	powershell.exe
408	powershell.exe
1936	powershell.exe
2980	powershell.exe
4040	powershell.exe
1052	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 10 IoCs

Processes:

taskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

pid process

1104 taskhostw.exe
4468 taskhostw.exe
4600 taskhostw.exe
5112 taskhostw.exe
4004 taskhostw.exe
512 taskhostw.exe
1104 taskhostw.exe
2680 taskhostw.exe
4948 taskhostw.exe
5020 taskhostw.exe

pid	process
1104	taskhostw.exe
4468	taskhostw.exe
4600	taskhostw.exe
5112	taskhostw.exe
4004	taskhostw.exe
512	taskhostw.exe
1104	taskhostw.exe
2680	taskhostw.exe
4948	taskhostw.exe
5020	taskhostw.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28 = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28 = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28 = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28 = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default User\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Drops file in Program Files directory 19 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\it-IT\Registry.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\VideoLAN\c5b4cb5e9653cc	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\VideoLAN\VLC\skins\SearchApp.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\VideoLAN\VLC\skins\38384e6a620884	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\a022e66fd73091	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Windows Mail\56085415360792	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Common Files\System\msadc\taskhostw.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Common Files\System\msadc\ea9f0e6c9e2dcd	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\VideoLAN\services.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\TextInputHost.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\22eafd247d37c3	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5b884080fd4f94	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sppsvc.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Windows Media Player\it-IT\ee2ad38f3d4382	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Program Files\Windows Mail\wininit.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Drops file in Windows directory 5 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\a022e66fd73091	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\Speech\Common\winlogon.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\AppReadiness\WmiPrvSE.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
File created	C:\Windows\AppReadiness\24dbde2999530e	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

Processes:

taskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4976	schtasks.exe
2512	schtasks.exe
2044	schtasks.exe
644	schtasks.exe
4268	schtasks.exe
2188	schtasks.exe
808	schtasks.exe
2448	schtasks.exe
4536	schtasks.exe
4692	schtasks.exe
1004	schtasks.exe
4164	schtasks.exe
5084	schtasks.exe
3492	schtasks.exe
3412	schtasks.exe
4072	schtasks.exe
4924	schtasks.exe
1012	schtasks.exe
3400	schtasks.exe
4756	schtasks.exe
1612	schtasks.exe
3292	schtasks.exe
216	schtasks.exe
2992	schtasks.exe
244	schtasks.exe
3620	schtasks.exe
2364	schtasks.exe
2604	schtasks.exe
4520	schtasks.exe
4340	schtasks.exe
4420	schtasks.exe
3400	schtasks.exe
1192	schtasks.exe
2208	schtasks.exe
4968	schtasks.exe
3212	schtasks.exe
1728	schtasks.exe
2892	schtasks.exe
2360	schtasks.exe
4232	schtasks.exe
4160	schtasks.exe
4524	schtasks.exe
1100	schtasks.exe
516	schtasks.exe
3096	schtasks.exe
2392	schtasks.exe
2404	schtasks.exe
3992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exe

pid	process
3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2972	powershell.exe
2972	powershell.exe
2980	powershell.exe
2980	powershell.exe
5012	powershell.exe
5012	powershell.exe
1936	powershell.exe
1936	powershell.exe
1764	powershell.exe
1764	powershell.exe
3268	powershell.exe
3268	powershell.exe
408	powershell.exe
408	powershell.exe
4792	powershell.exe
4792	powershell.exe
1052	powershell.exe
1052	powershell.exe
3408	powershell.exe
3408	powershell.exe
4280	powershell.exe
4280	powershell.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
2980	powershell.exe
1764	powershell.exe
2972	powershell.exe
1052	powershell.exe
5012	powershell.exe
1936	powershell.exe
408	powershell.exe
3268	powershell.exe
4280	powershell.exe
4792	powershell.exe
3408	powershell.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
3004	powershell.exe
3732	powershell.exe
456	powershell.exe
4040	powershell.exe
4248	powershell.exe
3132	powershell.exe
3004	powershell.exe
3132	powershell.exe
456	powershell.exe
3732	powershell.exe
4040	powershell.exe
4248	powershell.exe
1104	taskhostw.exe
4468	taskhostw.exe
4600	taskhostw.exe
5112	taskhostw.exe
4004	taskhostw.exe
512	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	1104	taskhostw.exe
Token: SeDebugPrivilege	4468	taskhostw.exe
Token: SeDebugPrivilege	4600	taskhostw.exe
Token: SeDebugPrivilege	5112	taskhostw.exe
Token: SeDebugPrivilege	4004	taskhostw.exe
Token: SeDebugPrivilege	512	taskhostw.exe
Token: SeDebugPrivilege	1104	taskhostw.exe
Token: SeDebugPrivilege	2680	taskhostw.exe
Token: SeDebugPrivilege	4948	taskhostw.exe
Token: SeDebugPrivilege	5020	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.execmd.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.execmd.exetaskhostw.exeWScript.exetaskhostw.exeWScript.exetaskhostw.exe

description	pid	process	target process
PID 3196 wrote to memory of 5012	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 5012	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 2980	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 2980	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1764	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1764	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1936	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1936	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 3268	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 3268	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 408	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 408	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 4280	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 4280	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 2972	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 2972	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 3408	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 3408	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1052	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1052	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1088	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 1088	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 4792	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 4792	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 3196 wrote to memory of 2476	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	cmd.exe
PID 3196 wrote to memory of 2476	3196	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	cmd.exe
PID 2476 wrote to memory of 4764	2476	cmd.exe	w32tm.exe
PID 2476 wrote to memory of 4764	2476	cmd.exe	w32tm.exe
PID 2476 wrote to memory of 2232	2476	cmd.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
PID 2476 wrote to memory of 2232	2476	cmd.exe	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
PID 2232 wrote to memory of 3004	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 3004	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 3132	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 3132	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 3732	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 3732	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 4040	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 4040	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 4248	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 4248	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 456	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 456	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	powershell.exe
PID 2232 wrote to memory of 4212	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	cmd.exe
PID 2232 wrote to memory of 4212	2232	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe	cmd.exe
PID 4212 wrote to memory of 3124	4212	cmd.exe	w32tm.exe
PID 4212 wrote to memory of 3124	4212	cmd.exe	w32tm.exe
PID 4212 wrote to memory of 1104	4212	cmd.exe	taskhostw.exe
PID 4212 wrote to memory of 1104	4212	cmd.exe	taskhostw.exe
PID 1104 wrote to memory of 1200	1104	taskhostw.exe	WScript.exe
PID 1104 wrote to memory of 1200	1104	taskhostw.exe	WScript.exe
PID 1104 wrote to memory of 2200	1104	taskhostw.exe	WScript.exe
PID 1104 wrote to memory of 2200	1104	taskhostw.exe	WScript.exe
PID 1200 wrote to memory of 4468	1200	WScript.exe	taskhostw.exe
PID 1200 wrote to memory of 4468	1200	WScript.exe	taskhostw.exe
PID 4468 wrote to memory of 3412	4468	taskhostw.exe	WScript.exe
PID 4468 wrote to memory of 3412	4468	taskhostw.exe	WScript.exe
PID 4468 wrote to memory of 4264	4468	taskhostw.exe	WScript.exe
PID 4468 wrote to memory of 4264	4468	taskhostw.exe	WScript.exe
PID 3412 wrote to memory of 4600	3412	WScript.exe	taskhostw.exe
PID 3412 wrote to memory of 4600	3412	WScript.exe	taskhostw.exe
PID 4600 wrote to memory of 752	4600	taskhostw.exe	WScript.exe
PID 4600 wrote to memory of 752	4600	taskhostw.exe	WScript.exe
PID 4600 wrote to memory of 1868	4600	taskhostw.exe	WScript.exe
PID 4600 wrote to memory of 1868	4600	taskhostw.exe	WScript.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

taskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exetaskhostw.exec729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
"C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sppsvc.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\TextInputHost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\msadc\taskhostw.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\Registry.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\services.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\SearchApp.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z2oaNCQbar.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
"C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\WmiPrvSE.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\sysmon.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64DJ6yI96Y.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:3124

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\964b25d1-9e77-4e0a-95e3-969d18086ca5.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194c9903-cc70-410f-b9f0-8936e1351111.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0236a17-e11f-474d-98e6-9079decd3a5d.vbs"
10⤵
PID:752

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8703448-8e75-4e29-909f-f321b34f514d.vbs"
12⤵
PID:1692

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47988053-9241-4fe9-8da9-840eedc25775.vbs"
14⤵
PID:4360

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4dc90d7-c37a-42be-baae-b1f54d175a1e.vbs"
16⤵
PID:4436

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c876ce2-8896-419d-9e38-9e73f2878a5b.vbs"
18⤵
PID:2432

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a203b40c-1376-4bd5-8030-292aad135f98.vbs"
20⤵
PID:1808

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69dfb4d0-e848-4079-9e6e-a2deafd47645.vbs"
22⤵
PID:3812

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbf580e-f41c-4a0a-ade2-478e2793592e.vbs"
24⤵
PID:4792

C:\Users\Default User\taskhostw.exe
"C:\Users\Default User\taskhostw.exe"
25⤵
PID:4764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ffa879-7b45-454e-b5bb-72dec1ed6227.vbs"
26⤵
PID:384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e605d55e-9997-41aa-a7f4-3a0bac856ce7.vbs"
26⤵
PID:3236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\556680db-4d9c-46ed-b7f7-eca4403b2dd3.vbs"
24⤵
PID:3092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf6aa6c-1fdb-4154-8df8-91a571db330a.vbs"
22⤵
PID:3732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\482259a5-5f3b-4df4-847c-5c44cefa7e8a.vbs"
20⤵
PID:1464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f58c454-a48d-4c00-905e-d8f3e00ec329.vbs"
18⤵
PID:4152

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854c0bcb-6a57-4f1b-88a2-7923d4c1ade1.vbs"
16⤵
PID:724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5139adaf-aa28-4378-9d68-e2c8cb3e7338.vbs"
14⤵
PID:3524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb99b9a6-510a-4b12-aa37-5b3b52c2637b.vbs"
12⤵
PID:4920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f57c82-cf07-451d-9c4f-8771bd878621.vbs"
10⤵
PID:1868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1de42bc-0eb2-4618-8c05-412f1b5d4a8e.vbs"
8⤵
PID:4264

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93e22a27-e2f6-4655-bc1d-ed46966b577a.vbs"
6⤵
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\msadc\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\msadc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28c" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28c" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28c" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28c" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\AppReadiness\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe.log
Filesize
1KB

MD5
c6ecc3bc2cdd7883e4f2039a5a5cf884

SHA1
20c9dd2a200e4b0390d490a7a76fa184bfc78151

SHA256
b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

SHA512
892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
Filesize
1KB

MD5
9b0256da3bf9a5303141361b3da59823

SHA1
d73f34951777136c444eb2c98394f62912ebcdac

SHA256
96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

SHA512
9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0fd3f36f28a947bdd05f1e05acf24489

SHA1
cf12e091a80740df2201c5b47049dd231c530ad3

SHA256
d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

SHA512
5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ce0c2fd0f881d4c57e9df4944f8acd84

SHA1
1343d3d9f85973a1f7918dd612d0e70bdf962ffc

SHA256
66851f3b3d4cce3c4cdd691ef09f62f19181a6a1e194b9d96a2f0e82f12076ee

SHA512
e78794c65f82308e7b7ea8a13ea4b5422523613fe8282998a4ed426fb815d06f96e76f54aaca7cf5c0198ff1018ebdfce548953d729347ca25d06fedbdb2cbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\194c9903-cc70-410f-b9f0-8936e1351111.vbs
Filesize
711B

MD5
3cb91039752a99f69f762b62efa2d2ad

SHA1
5d0856acd9194e317a0e27ebbb0469ad88c6f9d7

SHA256
f29c6aa1e3d14272e3eecbdd33baa437ff4d309cd3fde36540ada504342d2ede

SHA512
0d8f02bad4135ea49fa2b643cc9dbcf2a9761df36a3db60a43df693ce399fd44f1f2044469950c631ba4707d6386110157377bd8a8d3c32d39f5abe29d8ab372

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fbf580e-f41c-4a0a-ade2-478e2793592e.vbs
Filesize
711B

MD5
027e655638a18e760269093577cf280d

SHA1
6a6de3b78ab59d1164d5352e7adb133bca2f3201

SHA256
ded944f7ac42debf06a46407d262fb834fd806c14009892e2ab9f6a2ea89c01e

SHA512
587ed447caf948dc9ab40a507a3ee973167292fa288aebd88bdeabd0141891b26afe198a85ff6ded078215bb5310c4ae21fdf36ed521439189dd867f82c72d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\47988053-9241-4fe9-8da9-840eedc25775.vbs
Filesize
711B

MD5
8f7a81d58187e2f07076c40d630af12b

SHA1
5aca90f8f982c46a7453ed2ca8f19610903b4195

SHA256
ebed415aa45d01bf8b1477ec4d8aa9847a108cfed655bcc68fd20100eb4b56e3

SHA512
909f83fcd7247016c6f22270ee441e8bc3ff5e519f9b5f1522a9e100ea4e36804019ac992978f7aeeeef2e8702b86de11e3430152e87b400a01e4b5ad3fe6fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\64DJ6yI96Y.bat
Filesize
200B

MD5
b9b683bb404d0df0aff5546fefc274aa

SHA1
bd505b509a6c4d8fdb637ec26211f315569a6e38

SHA256
6c3c7e287bd112098628f8829f0bfb9cb561607a8142a692ff20ab5cf2a5aae3

SHA512
96ac2ea132f3092fdab52c53fef7b73b3e7e1da801748f33302ec1dcf7c68d84bf7375dfbccd7dd574d1a960993232079f2370a4c67e629ed8fbcc6071dbc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\69dfb4d0-e848-4079-9e6e-a2deafd47645.vbs
Filesize
711B

MD5
ff0e8d3dae8474e4489a44db51f62fa7

SHA1
d460eca51d9d2985d3da79c3db1e515366fc7fa0

SHA256
3601e8e7f7e14a6d59dcfcb5f660e4c49ac7034a9a0dc09b566ca12137566d90

SHA512
35dc557d20beeea51c4238376ba8b8dfa5292f1263e36799230f9e7ffb8877a1f906d015a103111dff1af7a92dc6d81b0bdb7485f6b87a0c4c40fa7e884f55af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c4b13a082a0a9ee212e5dc982be46041f816d56.exe
Filesize
2.5MB

MD5
6cd880f93150c2ad57ff570bb5df028d

SHA1
2b2d0cb425d0da443e1f19089d874d9d360eb20c

SHA256
963735dcf8f2e04bc8ffbaa56c25d9084900ff0ab22fd801bf24ddf5e4ece662

SHA512
5ee3b8f0da144abca6823dfa4374fda729b57d5fdda093712572d172abf11ac1c3a92ff58bd8f4b652ce6d8bdb5ae91fe6bee141ce009ce010ea61c1229cf02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\93e22a27-e2f6-4655-bc1d-ed46966b577a.vbs
Filesize
487B

MD5
28f81296cd20400ffe7898a14aaa1233

SHA1
53f8aa0c768c54dae95684343b80725f9e37263f

SHA256
24764b7231cf5b0b5024cfc3b729e0b31c6b694da3cc4b3816f13d37f9d4b3bc

SHA512
5e48ad1e4914c1ebbcbcf3eb42e94004b9e0f0c649833561ac914b2c23f4856648850123b81d76d1c0fa39ce7f3b3d98a54b3509b196c0ef33bf9dc430c2d3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\964b25d1-9e77-4e0a-95e3-969d18086ca5.vbs
Filesize
711B

MD5
725d4311937ee134c6de607e845cbf85

SHA1
1f0a32f692ead4cc878149953c753977debbb0fc

SHA256
6705ef9377ca33cb7244f06c41f019625ef7bbff32a1029df7091e0bbf040e76

SHA512
d7318ff7985ea9bf1828c112065972d63c1d28b60b91a6a9f0799d17e69222e4fbcfe0ef4deba0fdd42d7cb2bea94c8c1572abb1add6893e94d6afe7486ec071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2oaNCQbar.bat
Filesize
267B

MD5
1000ddfe21a2ebca7e50ed8f48050a68

SHA1
a66778f9649d81b5e7db5de56a26d48178352276

SHA256
4e12d4c9cad5d51ea10441ad3fd600ea247fcbb31eb683eca1f9e19f5fa7b926

SHA512
6ee9a0e5dd67eb4aed3b18f107f0a262b080823ff78603f6a4ccf4d5191b5a54923753e927207a32050976da6426b6ec242c2873b0a4d001842dd7b9d206461b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i301zpod.zle.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a203b40c-1376-4bd5-8030-292aad135f98.vbs
Filesize
711B

MD5
92a9f6a0abf9a6fca03102aadd2e0062

SHA1
cd8e3e60240bfcbd52010a51202c28de48ea2101

SHA256
1f4ab6363f759a07143e6f29d79b4de44b5e203babc07719756d964b98495913

SHA512
8940bb26191c211411b97c280075884f9be56b8eb92e30ad7c3621b3af1076471ff2468778e4b473576da2b96726038867a19154996e81ca5e41e22522ade55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0236a17-e11f-474d-98e6-9079decd3a5d.vbs
Filesize
711B

MD5
d5da0e6511a31fb4df373e3711b2f7ad

SHA1
9ed313a1660102458b93cceb8273dfc5f0e05578

SHA256
3d41d7266e7c1b0e01defb4d0d69f7c11d08ac6e75e3f9813d3ddf135bfc99c8

SHA512
ab89cdc9fd1690b2289cf56f5acc4b279d3ad560ef36bfc27455813731874b159741e11df867d279f573a8c38d9084001ead7e95fa596cb2d64045cd8979a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4dc90d7-c37a-42be-baae-b1f54d175a1e.vbs
Filesize
710B

MD5
b9162021321f85cf725834f45d8c4534

SHA1
282ac94b6b28e055ab89e7fee90bbf5cea948e76

SHA256
771ad3c8de428fae5e2964b1956fceb996b1ae7877ba4720896b0b6ff2027dde

SHA512
9d5de2fcfce0b024e827d8bb523f55f108e21b73da7751bf9e9321bfd57bf62d473a6c58c2f9f4f9341022e2061a86521742010a46d44555d828e09a5a6e35e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8703448-8e75-4e29-909f-f321b34f514d.vbs
Filesize
711B

MD5
ad50d3503e8c5c67fe70c70b9783c12c

SHA1
61d34c574a0d8a72735ed2510564117787dd9ce6

SHA256
88f6a313f3b46305426eea28a6ea2fcdf2bcdbd048a94a627e68ef56df5f0c6c

SHA512
2df8e483a597daea5c713df1f1e397ba705d9c1df495f2c891636570611b78e6579232d1846f2983d9f1e14aebca6df3c1b9e2da68f0adf9ce95a89c8e987392

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Filesize
2.5MB

MD5
587e1d2473fea9284918bfbcf9897de2

SHA1
25dc1703e07cc5cc890238cc18d0199effab86be

SHA256
c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28

SHA512
1e7313c16f84e618b9d9cea644d95b34cdb339830c5354354f126b85e8772994302abe5d7a2554e62898fb36d38f03c90b012e4060b69f57ce35806e975522fc

Download Submit
memory/408-176-0x000001DE74010000-0x000001DE7422C000-memory.dmp

Filesize
2.1MB

Download
memory/1052-180-0x00000239E4660000-0x00000239E487C000-memory.dmp

Filesize
2.1MB

Download
memory/1088-166-0x000001E0F7A70000-0x000001E0F7C8C000-memory.dmp

Filesize
2.1MB

Download
memory/1104-281-0x000000001B520000-0x000000001B576000-memory.dmp

Filesize
344KB

Download
memory/1764-174-0x0000025472030000-0x000002547224C000-memory.dmp

Filesize
2.1MB

Download
memory/1936-175-0x000001785E920000-0x000001785EB3C000-memory.dmp

Filesize
2.1MB

Download
memory/2972-183-0x0000028678F40000-0x000002867915C000-memory.dmp

Filesize
2.1MB

Download
memory/2980-57-0x0000023EE4CA0000-0x0000023EE4CC2000-memory.dmp

Filesize
136KB

Download
memory/2980-177-0x0000023EFD180000-0x0000023EFD39C000-memory.dmp

Filesize
2.1MB

Download
memory/3196-12-0x0000000003170000-0x000000000317C000-memory.dmp

Filesize
48KB

Download
memory/3196-19-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/3196-15-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/3196-11-0x0000000003150000-0x0000000003158000-memory.dmp

Filesize
32KB

Download
memory/3196-10-0x00000000017F0000-0x00000000017FC000-memory.dmp

Filesize
48KB

Download
memory/3196-7-0x00000000017C0000-0x00000000017D6000-memory.dmp

Filesize
88KB

Download
memory/3196-6-0x00000000017B0000-0x00000000017B8000-memory.dmp

Filesize
32KB

Download
memory/3196-5-0x00000000030B0000-0x0000000003100000-memory.dmp

Filesize
320KB

Download
memory/3196-4-0x0000000001790000-0x00000000017AC000-memory.dmp

Filesize
112KB

Download
memory/3196-16-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/3196-17-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/3196-1-0x0000000000BA0000-0x0000000000E30000-memory.dmp

Filesize
2.6MB

Download
memory/3196-2-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-3-0x0000000001780000-0x000000000178E000-memory.dmp

Filesize
56KB

Download
memory/3196-18-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/3196-8-0x00000000017E0000-0x00000000017EA000-memory.dmp

Filesize
40KB

Download
memory/3196-9-0x0000000003100000-0x0000000003156000-memory.dmp

Filesize
344KB

Download
memory/3196-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp

Filesize
8KB

Download
memory/3196-58-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-13-0x0000000003180000-0x0000000003188000-memory.dmp

Filesize
32KB

Download
memory/3196-20-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/3196-14-0x0000000003190000-0x0000000003198000-memory.dmp

Filesize
32KB

Download
memory/3268-173-0x000001932EDD0000-0x000001932EFEC000-memory.dmp

Filesize
2.1MB

Download
memory/3408-192-0x000001995D670000-0x000001995D88C000-memory.dmp

Filesize
2.1MB

Download
memory/4280-195-0x000001F69C840000-0x000001F69CA5C000-memory.dmp

Filesize
2.1MB

Download
memory/4792-189-0x000002406C800000-0x000002406CA1C000-memory.dmp

Filesize
2.1MB

Download
memory/5012-186-0x0000028879920000-0x0000028879B3C000-memory.dmp

Filesize
2.1MB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Saved Games\\sysmon.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Users\\Default User\\taskhostw.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\TextInputHost.exe\", \"C:\\Program Files\\Common Files\\System\\msadc\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.FilePicker_cw5n1h2txyewy\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\Registry.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\SearchApp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\AppReadiness\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Saved Games\\sysmon.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\""	c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28.exe