dcrat | 2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Size

1.2MB
MD5

477211148933cc41d67087078f70cd58
SHA1

3a931ffa7e536bd381c5fb46ebb5fd93b05bb2ec
SHA256

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6
SHA512

76396f20ca86c749a14510c8ae2ab03042867127956e1aacc5765c933471e1987b759122f2d90c1b87392d26e12329519dfac8b0a19692c0ec07288190a91cda
SSDEEP

24576:bJlmUJyTmqFOGfeRIvZ6+adOSMZgrWoIaWrcX:OvU+a/rSro

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1504	schtasks.exe
3564	schtasks.exe
4812	schtasks.exe
3448	schtasks.exe
1004	schtasks.exe
3764	schtasks.exe
2760	schtasks.exe
1776	schtasks.exe
4584	schtasks.exe
4432	schtasks.exe
372	schtasks.exe
3128	schtasks.exe
1128	schtasks.exe
4504	schtasks.exe
3172	schtasks.exe
4808	schtasks.exe
2008	schtasks.exe
3064	schtasks.exe
2960	schtasks.exe
4824	schtasks.exe
4192	schtasks.exe
1452	schtasks.exe
3972	schtasks.exe
2928	schtasks.exe
5080	schtasks.exe
4980	schtasks.exe
336	schtasks.exe
4788	schtasks.exe
3148	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
840	schtasks.exe
912	schtasks.exe
4944	schtasks.exe
4688	schtasks.exe
1632	schtasks.exe
3812	schtasks.exe
1812	schtasks.exe
2432	schtasks.exe
3408	schtasks.exe
3304	schtasks.exe
4660	schtasks.exe
1580	schtasks.exe
1788	schtasks.exe
2228	schtasks.exe
3192	schtasks.exe
1396	schtasks.exe
5076	schtasks.exe
2464	schtasks.exe
896	schtasks.exe
4184	schtasks.exe
3204	schtasks.exe
1948	schtasks.exe
4312	schtasks.exe
3220	schtasks.exe
2912	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2816	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exeRegistry.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4100-1-0x0000000000130000-0x0000000000262000-memory.dmp	dcrat
C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	dcrat
C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	dcrat
C:\Program Files (x86)\Windows Multimedia Platform\RCXE628.tmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4596	powershell.exe
4452	powershell.exe
4872	powershell.exe
3204	powershell.exe
1396	powershell.exe
656	powershell.exe
3960	powershell.exe
1716	powershell.exe
1812	powershell.exe
4148	powershell.exe
4036	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Executes dropped EXE 1 IoCs

Processes:

Registry.exe

pid process

5216 Registry.exe

pid	process
5216	Registry.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\StartMenuExperienceHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Cookies\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\Documents\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\7-Zip\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\StartMenuExperienceHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6 = "\"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\Documents\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Cookies\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exeRegistry.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Drops file in Program Files directory 38 IoCs

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\TableTextService\RCXEF15.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\dllhost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXD623.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXDFAD.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXE628.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\29c1c3cc0f7685	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows NT\TableTextService\dllhost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXD41F.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\WindowsApps\MutableBackup\backgroundTaskHost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\cc11b995f2a76d	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows NT\TableTextService\5940a34987c991	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\7-Zip\dllhost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Mail\c75fe4741891b9	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\aa97147c4c782d	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Mail\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\MusNotification.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\SearchApp.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Defender\it-IT\38384e6a620884	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\69ddcba757bf72	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\unsecapp.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\Windows Mail\RCXCB8F.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXED11.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\7-Zip\5940a34987c991	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\MusNotification.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\unsecapp.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\sppsvc.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Defender\it-IT\SearchApp.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\55b276f4edf653	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files\7-Zip\RCXCD94.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCXE1B1.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\Windows Mail\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Program Files\7-Zip\dllhost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Drops file in Windows directory 4 IoCs

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
File opened for modification	C:\Windows\InputMethod\CHS\RCXE3B6.tmp	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File opened for modification	C:\Windows\InputMethod\CHS\TextInputHost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\InputMethod\CHS\TextInputHost.exe	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
File created	C:\Windows\InputMethod\CHS\22eafd247d37c3	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4660	schtasks.exe
372	schtasks.exe
4312	schtasks.exe
3448	schtasks.exe
1504	schtasks.exe
2228	schtasks.exe
840	schtasks.exe
896	schtasks.exe
1812	schtasks.exe
2008	schtasks.exe
5076	schtasks.exe
1632	schtasks.exe
3128	schtasks.exe
4688	schtasks.exe
3304	schtasks.exe
4432	schtasks.exe
1004	schtasks.exe
1788	schtasks.exe
3204	schtasks.exe
1948	schtasks.exe
2928	schtasks.exe
3192	schtasks.exe
336	schtasks.exe
1396	schtasks.exe
3812	schtasks.exe
3408	schtasks.exe
4788	schtasks.exe
4944	schtasks.exe
4184	schtasks.exe
3064	schtasks.exe
3148	schtasks.exe
4584	schtasks.exe
2960	schtasks.exe
5080	schtasks.exe
2432	schtasks.exe
1452	schtasks.exe
1776	schtasks.exe
4504	schtasks.exe
2760	schtasks.exe
1128	schtasks.exe
3764	schtasks.exe
3220	schtasks.exe
4812	schtasks.exe
3972	schtasks.exe
4980	schtasks.exe
3172	schtasks.exe
4824	schtasks.exe
4808	schtasks.exe
1580	schtasks.exe
4192	schtasks.exe
2464	schtasks.exe
2912	schtasks.exe
912	schtasks.exe
3564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegistry.exe

pid	process
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
1396	powershell.exe
1396	powershell.exe
1812	powershell.exe
1812	powershell.exe
4452	powershell.exe
4452	powershell.exe
4036	powershell.exe
4036	powershell.exe
1716	powershell.exe
1716	powershell.exe
3960	powershell.exe
3960	powershell.exe
3204	powershell.exe
3204	powershell.exe
4872	powershell.exe
4872	powershell.exe
4596	powershell.exe
4596	powershell.exe
4148	powershell.exe
4148	powershell.exe
656	powershell.exe
656	powershell.exe
1716	powershell.exe
3960	powershell.exe
1396	powershell.exe
4452	powershell.exe
1812	powershell.exe
4872	powershell.exe
4036	powershell.exe
4596	powershell.exe
3204	powershell.exe
4148	powershell.exe
656	powershell.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe
5216	Registry.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Registry.exe

pid process

5216 Registry.exe

pid	process
5216	Registry.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	5216	Registry.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	pid	process	target process
PID 4100 wrote to memory of 1396	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 1396	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 656	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 656	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 3960	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 3960	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4596	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4596	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 1716	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 1716	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4452	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4452	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4872	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4872	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 1812	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 1812	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 3204	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 3204	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4148	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4148	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4036	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 4036	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	powershell.exe
PID 4100 wrote to memory of 5216	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	Registry.exe
PID 4100 wrote to memory of 5216	4100	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe	Registry.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

Registry.exe2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
"C:\Users\Admin\AppData\Local\Temp\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Recovery\WindowsRE\Registry.exe
  "C:\Recovery\WindowsRE\Registry.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6" /sc ONLOGON /tr "'C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd62" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\MusNotification.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\CHS\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHS\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHS\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\RCXE628.tmp

Filesize
1.2MB

MD5
ee379da99cf88915bdceb9078820ad59

SHA1
122adb0e2293baae49daa60de601b277f9d4279f

SHA256
7eed5e541aebf6fae26e68359ad4a7fd6915ab63e74b3a2be9544025235e1568

SHA512
3ad6f41a2da4427caa6f136499dc0b9e91280607c63d52597b824e66bf14bfc914f85c891bc04c8ddc497feeceb1846712daec78a1fe22c798e462dfe3591a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbf4olqv.1kj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Filesize
1.2MB

MD5
a3b87f6879e6378e36f1ea28a2c1f711

SHA1
4ebec11ce17f52a106edac71ad8adcb6eb712c93

SHA256
0e35b91a68368c15ce130cfa62e867d45df839add6586ef56622b5988132183a

SHA512
9dd5785eee6f9deb8f56875f851ab773883a4e795502cb0dee80b80a1164e4a202ee306787f4c8ff2f38fa09032ee05412c62973e7948c0a9f0d823469d815fe

Download Submit
C:\Users\Public\Music\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe

Filesize
1.2MB

MD5
477211148933cc41d67087078f70cd58

SHA1
3a931ffa7e536bd381c5fb46ebb5fd93b05bb2ec

SHA256
2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6

SHA512
76396f20ca86c749a14510c8ae2ab03042867127956e1aacc5765c933471e1987b759122f2d90c1b87392d26e12329519dfac8b0a19692c0ec07288190a91cda

Download Submit
memory/1396-232-0x000001DC22BC0000-0x000001DC22BE2000-memory.dmp

Filesize
136KB

Download
memory/4100-12-0x000000001AE00000-0x000000001AE0C000-memory.dmp

Filesize
48KB

Download
memory/4100-6-0x000000001ADA0000-0x000000001ADA8000-memory.dmp

Filesize
32KB

Download
memory/4100-0-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/4100-13-0x000000001B420000-0x000000001B42C000-memory.dmp

Filesize
48KB

Download
memory/4100-10-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

Filesize
48KB

Download
memory/4100-9-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

Filesize
32KB

Download
memory/4100-8-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

Filesize
48KB

Download
memory/4100-145-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/4100-152-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/4100-11-0x000000001ADF0000-0x000000001ADF8000-memory.dmp

Filesize
32KB

Download
memory/4100-7-0x000000001ADB0000-0x000000001ADBA000-memory.dmp

Filesize
40KB

Download
memory/4100-334-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/4100-5-0x000000001AD90000-0x000000001AD98000-memory.dmp

Filesize
32KB

Download
memory/4100-4-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4100-3-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/4100-2-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/4100-1-0x0000000000130000-0x0000000000262000-memory.dmp

Filesize
1.2MB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Users\\Default\\Cookies\\unsecapp.exe\", \"C:\\Users\\Public\\Documents\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\StartMenuExperienceHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Users\\Default\\Cookies\\unsecapp.exe\", \"C:\\Users\\Public\\Documents\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Users\\Default\\Cookies\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Program Files\\Windows Mail\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files\\7-Zip\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\SppExtComObj.exe\", \"C:\\Users\\Public\\Music\\2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\MusNotification.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\unsecapp.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\Recent\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\smss.exe\", \"C:\\Windows\\InputMethod\\CHS\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\winlogon.exe\", \"C:\\Users\\Default\\Cookies\\unsecapp.exe\", \"C:\\Users\\Public\\Documents\\SppExtComObj.exe\""	2e18c0635a5593a2959b9a7c47d1145dd7115142013e4b0d6b4f931e63590fd6.exe