dcrat | 4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Size

1.5MB
MD5

175728fc0156adf96439d339ae5a0658
SHA1

77712760c74c0d4826916126c1539ed0ce235dc5
SHA256

4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1
SHA512

436c18106c410c14d538a288458b3c91d2a0ffbbd22ae80d585482fbf9a0b710b980b4bfdf023528f064380494a0aad04d5d3936ffc6f88f2ea98e0ac5d26818
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRi:kzhWhCXQFN+0IEuQgyiVKq

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\System32\\webservices\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\System32\\webservices\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\System32\\webservices\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\System32\\rasdiag\\winlogon.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\System32\\webservices\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\System32\\rasdiag\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\", \"C:\\Windows\\addins\\csrss.exe\", \"C:\\Users\\Public\\Music\\fontdrvhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4812	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4812	schtasks.exe	84

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3084	powershell.exe
1656	powershell.exe
3760	powershell.exe
1732	powershell.exe
3616	powershell.exe
1824	powershell.exe
4268	powershell.exe
4300	powershell.exe
1444	powershell.exe
1588	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 14 IoCs

pid	Process
4784	SearchApp.exe
2168	SearchApp.exe
1908	SearchApp.exe
2196	SearchApp.exe
3704	SearchApp.exe
1332	SearchApp.exe
4308	SearchApp.exe
4940	SearchApp.exe
2196	SearchApp.exe
3460	SearchApp.exe
4536	SearchApp.exe
3200	SearchApp.exe
2232	SearchApp.exe
1828	SearchApp.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\Music\\fontdrvhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\webservices\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\webservices\\dwm.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\rasdiag\\winlogon.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApi\\SearchApp.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\rasdiag\\winlogon.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\Music\\fontdrvhost.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\rasdiag\winlogon.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\rasdiag\cc11b995f2a76d	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\webservices\RCX77B6.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\webservices\dwm.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\rasdiag\RCX7CD9.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\System32\rasdiag\winlogon.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\webservices\dwm.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\System32\webservices\6cb0b6c459d5d3	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\addins\886983d96e3d3e	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\38384e6a620884	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\RCX6D9F.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\addins\RCX71A9.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\RCX7A38.tmp	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\38384e6a620884	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\addins\csrss.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\addins\csrss.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\SearchApp.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\SearchApp.exe	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe
1936	schtasks.exe
4708	schtasks.exe
2032	schtasks.exe
4576	schtasks.exe
2116	schtasks.exe
3020	schtasks.exe
3312	schtasks.exe
4952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
3084	powershell.exe
3084	powershell.exe
1656	powershell.exe
1656	powershell.exe
1824	powershell.exe
1824	powershell.exe
4300	powershell.exe
4300	powershell.exe
1444	powershell.exe
1444	powershell.exe
3760	powershell.exe
3760	powershell.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
1732	powershell.exe
1732	powershell.exe
4268	powershell.exe
4268	powershell.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
1588	powershell.exe
1588	powershell.exe
3616	powershell.exe
3616	powershell.exe
4268	powershell.exe
3084	powershell.exe
1656	powershell.exe
1824	powershell.exe
4300	powershell.exe
3760	powershell.exe
1444	powershell.exe
1732	powershell.exe
1588	powershell.exe
2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
3616	powershell.exe
4784	SearchApp.exe
4784	SearchApp.exe
4784	SearchApp.exe
4784	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	4784	SearchApp.exe
Token: SeDebugPrivilege	2168	SearchApp.exe
Token: SeDebugPrivilege	1908	SearchApp.exe
Token: SeDebugPrivilege	2196	SearchApp.exe
Token: SeDebugPrivilege	3704	SearchApp.exe
Token: SeDebugPrivilege	1332	SearchApp.exe
Token: SeDebugPrivilege	4308	SearchApp.exe
Token: SeDebugPrivilege	4940	SearchApp.exe
Token: SeDebugPrivilege	2196	SearchApp.exe
Token: SeDebugPrivilege	3460	SearchApp.exe
Token: SeDebugPrivilege	4536	SearchApp.exe
Token: SeDebugPrivilege	3200	SearchApp.exe
Token: SeDebugPrivilege	2232	SearchApp.exe
Token: SeDebugPrivilege	1828	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3616	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	97
PID 2328 wrote to memory of 3616	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	97
PID 2328 wrote to memory of 3084	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	98
PID 2328 wrote to memory of 3084	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	98
PID 2328 wrote to memory of 1824	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	99
PID 2328 wrote to memory of 1824	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	99
PID 2328 wrote to memory of 4268	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	100
PID 2328 wrote to memory of 4268	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	100
PID 2328 wrote to memory of 4300	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	101
PID 2328 wrote to memory of 4300	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	101
PID 2328 wrote to memory of 1444	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	102
PID 2328 wrote to memory of 1444	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	102
PID 2328 wrote to memory of 1588	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	103
PID 2328 wrote to memory of 1588	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	103
PID 2328 wrote to memory of 1656	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	104
PID 2328 wrote to memory of 1656	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	104
PID 2328 wrote to memory of 3760	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	105
PID 2328 wrote to memory of 3760	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	105
PID 2328 wrote to memory of 1732	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	106
PID 2328 wrote to memory of 1732	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	106
PID 2328 wrote to memory of 4784	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	117
PID 2328 wrote to memory of 4784	2328	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe	117
PID 4784 wrote to memory of 4868	4784	SearchApp.exe	118
PID 4784 wrote to memory of 4868	4784	SearchApp.exe	118
PID 4784 wrote to memory of 208	4784	SearchApp.exe	119
PID 4784 wrote to memory of 208	4784	SearchApp.exe	119
PID 4868 wrote to memory of 2168	4868	WScript.exe	125
PID 4868 wrote to memory of 2168	4868	WScript.exe	125
PID 2168 wrote to memory of 3564	2168	SearchApp.exe	126
PID 2168 wrote to memory of 3564	2168	SearchApp.exe	126
PID 2168 wrote to memory of 3268	2168	SearchApp.exe	127
PID 2168 wrote to memory of 3268	2168	SearchApp.exe	127
PID 3564 wrote to memory of 1908	3564	WScript.exe	132
PID 3564 wrote to memory of 1908	3564	WScript.exe	132
PID 1908 wrote to memory of 3184	1908	SearchApp.exe	133
PID 1908 wrote to memory of 3184	1908	SearchApp.exe	133
PID 1908 wrote to memory of 3860	1908	SearchApp.exe	134
PID 1908 wrote to memory of 3860	1908	SearchApp.exe	134
PID 3184 wrote to memory of 2196	3184	WScript.exe	138
PID 3184 wrote to memory of 2196	3184	WScript.exe	138
PID 2196 wrote to memory of 4344	2196	SearchApp.exe	139
PID 2196 wrote to memory of 4344	2196	SearchApp.exe	139
PID 2196 wrote to memory of 1488	2196	SearchApp.exe	140
PID 2196 wrote to memory of 1488	2196	SearchApp.exe	140
PID 4344 wrote to memory of 3704	4344	WScript.exe	141
PID 4344 wrote to memory of 3704	4344	WScript.exe	141
PID 3704 wrote to memory of 4012	3704	SearchApp.exe	142
PID 3704 wrote to memory of 4012	3704	SearchApp.exe	142
PID 3704 wrote to memory of 1304	3704	SearchApp.exe	143
PID 3704 wrote to memory of 1304	3704	SearchApp.exe	143
PID 4012 wrote to memory of 1332	4012	WScript.exe	144
PID 4012 wrote to memory of 1332	4012	WScript.exe	144
PID 1332 wrote to memory of 4800	1332	SearchApp.exe	145
PID 1332 wrote to memory of 4800	1332	SearchApp.exe	145
PID 1332 wrote to memory of 2704	1332	SearchApp.exe	146
PID 1332 wrote to memory of 2704	1332	SearchApp.exe	146
PID 4800 wrote to memory of 4308	4800	WScript.exe	148
PID 4800 wrote to memory of 4308	4800	WScript.exe	148
PID 4308 wrote to memory of 2076	4308	SearchApp.exe	149
PID 4308 wrote to memory of 2076	4308	SearchApp.exe	149
PID 4308 wrote to memory of 3960	4308	SearchApp.exe	150
PID 4308 wrote to memory of 3960	4308	SearchApp.exe	150
PID 2076 wrote to memory of 4940	2076	WScript.exe	151
PID 2076 wrote to memory of 4940	2076	WScript.exe	151

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe
"C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\webservices\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rasdiag\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94afaaad-987b-4dd7-813c-2772baf88def.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
      C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2168
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb84d2b-bbc8-4107-a05d-bb85baf82e64.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f71da05-6a02-4c46-a6c6-f8fcda9d400d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ae5941-0f12-4fb9-8e9d-e3ad8fe306e3.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab7ce29d-e2e1-4057-9e2b-833ca2ea449b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d34688d-a4b7-4b4d-9274-9a6ef75e5b51.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\558fb03c-3c25-4c6c-b257-10e6879556e0.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c194df0-64b3-460a-baeb-4252363758af.vbs"
        17⤵
        
        PID:4332
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b65ef2-3db1-462d-b19d-f5308f404021.vbs"
        19⤵
        
        PID:3284
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a710845-89f5-4cb9-810d-ffcd6b47a9ec.vbs"
        21⤵
        
        PID:4408
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e423fdd-7205-4bdb-aaf3-be6e327fc7c1.vbs"
        23⤵
        
        PID:3868
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c151029-a02d-4a01-84cf-24beead3d4e7.vbs"
        25⤵
        
        PID:2088
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ddd853d-9923-4c6a-8c83-c520121147d9.vbs"
        27⤵
        
        PID:1240
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f472cfb-638b-4f7e-9cb8-fc7d3da5e0f9.vbs"
        29⤵
        
        PID:3744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8729c35-9665-4077-a2a1-4d91dfa16aae.vbs"
        29⤵
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9171ad27-70a8-4edd-ba6f-556b0b2b4890.vbs"
        27⤵
        
        PID:4724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440c4d9f-1239-4497-aa14-7b1dacb53688.vbs"
        25⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f16009d-ac6e-499f-a4cc-6ec5c881749a.vbs"
        23⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b646c23-594e-4414-9eee-97d398c8fa32.vbs"
        21⤵
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23328c09-9e33-44aa-a1b6-863edf8dd666.vbs"
        19⤵
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b8ec18-b80f-4e6c-87c5-e208dbb333bd.vbs"
        17⤵
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c6914d3-cc2e-4753-a674-513c9fe0528b.vbs"
        15⤵
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9889a1-685e-4b23-a1d3-3a0ebbb2a338.vbs"
        13⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b04c48-03dc-46c9-9a71-57626de60f0b.vbs"
        11⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b25b17-d34f-476e-97fb-c8a529f3094e.vbs"
        9⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\703cf039-a688-41c9-a928-cad529ff3438.vbs"
        7⤵
        
        PID:3860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c0d5e32-3597-4619-a1ca-00dec702b15f.vbs"
        5⤵
        
        PID:3268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8de88c-55e9-40b7-9885-f98d17d37da2.vbs"
    3⤵
    PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApi\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\{1148644D-36F1-44F1-AC84-97F68AD36193} - OProcSessId\4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\webservices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\rasdiag\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
1.5MB

MD5
175728fc0156adf96439d339ae5a0658

SHA1
77712760c74c0d4826916126c1539ed0ce235dc5

SHA256
4d0394e71bc2839b2926bbccb8747103f54055eeb3c9339aa124278043bc13a1

SHA512
436c18106c410c14d538a288458b3c91d2a0ffbbd22ae80d585482fbf9a0b710b980b4bfdf023528f064380494a0aad04d5d3936ffc6f88f2ea98e0ac5d26818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cb84d2b-bbc8-4107-a05d-bb85baf82e64.vbs

Filesize
760B

MD5
4dccba0f61ecd31a035dbbd0083ef142

SHA1
afe33f2cf62acbcc2e80ccb4a321d8f0dfe42bc3

SHA256
26cb027d3da519bdd75865d15a1b809216740b66eecaa1d3b169e11e4729b468

SHA512
6000acd0a666f42f1cf87786102d52ec0f26d7e6ab8b8765454430a1d582379253c3f3c6bc55d455e5d31996bc49d5d49808be6bba7252cc36f14da46f98ae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a710845-89f5-4cb9-810d-ffcd6b47a9ec.vbs

Filesize
760B

MD5
d2d2e07c5631b53bed645403193898c8

SHA1
5bbc932829f11588872e2736e44fa275ee118ba1

SHA256
e0c54be8f49821941fb57f02fae1f29f2e65077e029896e2b06c53312e8f08e1

SHA512
023d0a8ea1e6025c3f567a92127373258bd44326dd758dd2a397a246b1732b1a69e55aae23cbb37f2939843d61b7ba0c81028f97da0f3d621e01797c4bec32ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ddd853d-9923-4c6a-8c83-c520121147d9.vbs

Filesize
760B

MD5
b66cda77d06c685ff678b3760f2e76da

SHA1
0d7a9afe458e7e48ceacefddc9727bcc100348bf

SHA256
27522db17ae2f8ce63122b354d65fa60045b0e06f92bec6a970503daef863895

SHA512
40acecb818d13ed842f98c83c7100f7d9b93fb3db7042b83df5338702b4ffcf58e1ccdaf5f1e00caf4f4845784161752ed84f500386fb0f370424625f3bae117

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f71da05-6a02-4c46-a6c6-f8fcda9d400d.vbs

Filesize
760B

MD5
b69a3375984aff9df3033bbf40df18a3

SHA1
169003cd8c385260a0bea7e668084c798574f246

SHA256
ba9f9fe20a801f0f16f09c55662ed4a35bbbb0f54e76bd482aaa6dc30efb40eb

SHA512
5d5e7295771c7670644b471a2bce7dbb07d9e0d1e9242df2b033353e1838b16b42f109c32ff32548de8e7c8572488bcd341560ea650c1e3c4355e6671c2b20ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e423fdd-7205-4bdb-aaf3-be6e327fc7c1.vbs

Filesize
760B

MD5
ab2b49e03cc3746fda162b223b59b895

SHA1
f4d43090dbd151b88c23fa66f6b3d33dfc68eb49

SHA256
51c25ad0b52c80fb992ca13c4557b267379c503f084dea705a07178ab7035bc7

SHA512
95b8edbc6a47738ef1b4fb2bd770f6cb65dc8ae96cb7e0d38fe78e799804b941e48c73952a048558d1174889dd09b6f3181ced2707d0664b80bfd20cb913f40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c194df0-64b3-460a-baeb-4252363758af.vbs

Filesize
760B

MD5
b657c7501ad08e130a714d6dee7e7815

SHA1
c2a2fd872cf428cc290dd29d54a2ab25ea17a1fc

SHA256
302c7f6fb05b12a5f7c7ceb6af9523cdfe6370159b889dd470c62abf2497388e

SHA512
fda43be869e48dc6d486cfad87bede027146714a93a09164a131f546c736a634947c51211ab8bcb1c18913b66d1ecb4876a1bc53978b1a7b36a7286677a8a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\558fb03c-3c25-4c6c-b257-10e6879556e0.vbs

Filesize
760B

MD5
a872e6dd671c77ed957c1ebf927fec01

SHA1
51f5c1465f1eec4ed6cbbfa1499a7b4d9df7e432

SHA256
d509cc2a2c71d40f62fd86b9d3941d3df526bd3f208cd90a3e405ac8818202e5

SHA512
97c1291039e06f846ec10500574c6d60dd2ad49e0ab14af87ab1ef507e417b692b2babb585d77bc619a480b7bbbbd21c475fe83ce27a440f3437bb618b6b3c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c151029-a02d-4a01-84cf-24beead3d4e7.vbs

Filesize
760B

MD5
b7ccbde6072cfe325ed6c97bad5c7376

SHA1
bb28e1dd7ef579eb144e30c2d2000496a12cd1cd

SHA256
b119fcf7321c4cb961aa12652e04cb9c60f3e55a07c320ad803da179f514b856

SHA512
4e1af99ef175add9da38c2cf1e7b95bd819a2d4e8c3c216877461d56165def75fd13192211e5a387b115b6c0f340d129626535341e0e5234d8b60da1e4954080

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d34688d-a4b7-4b4d-9274-9a6ef75e5b51.vbs

Filesize
760B

MD5
2150e060e55fe61247c6e23b8381b548

SHA1
4acb44ce4fbaf2a0b500f4cd8aeded33ec2792c7

SHA256
b93968bffdf306b8e91f52ec909d07171ef33d92e3f541e6539b7330b6f270ec

SHA512
4e967a0ae6c96d5108cfc369926c98189ef0dd8745eb29ad1b5800fd9dbae0165add16ac9fe5be9b490acf086bdca4cbe33d42bba3461378c88e738d43644c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\94afaaad-987b-4dd7-813c-2772baf88def.vbs

Filesize
760B

MD5
7de90e107bc8ac23059d1b9ff0ba65be

SHA1
df9c20f2143a2cb8cd1b1157df7ec0fced4f9850

SHA256
de798c4b1d9f9b753236afef4ca4afb8fb7cd5db6b5afbb68d72d7ed5ee8a0c9

SHA512
396b41c7392fef1e13c5d2df78e28b859e47ba0307dd0da469eee99698bbf911f9d4775f62fd10b3256773cf5022a66e21b533caebce5a4f5f74dac81dc383d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fozunzyg.wxs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3ae5941-0f12-4fb9-8e9d-e3ad8fe306e3.vbs

Filesize
760B

MD5
52f70d4ed0662594dfa61167e94b26c6

SHA1
0e43c83137770ca9b1fc28999671641bebb4e618

SHA256
736adc1c8cdcda916f7642d4cbb9b7182a261644744cc46a335fa98017e601c1

SHA512
e4f8f2d6229e573bb5908bf048ae2cbdbfea6723b1480b8f4a0cc38db6b71ddb7daa98fca99c443739d3aa5fe095c31d20e9a1332b9f8fa7e96b9cfb44a8fbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab7ce29d-e2e1-4057-9e2b-833ca2ea449b.vbs

Filesize
760B

MD5
b56a84af03a0e261ec1f1bab1c6286a5

SHA1
299de77cf58958f5e1bfe6ab29f168b92f2f42d5

SHA256
1e647bb6a2ebe373c9f06ea3d004d4e5e0bcfc4fe9738c92bb118423be2b1fd7

SHA512
d79857bfb3e42740b602203dd0f63ed850664602889ead30ab27455a16f284503b0f54a9e6053f5959a5f8e11da797dfe3fb6b0ecc5a07d796529b63c93ddd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed8de88c-55e9-40b7-9885-f98d17d37da2.vbs

Filesize
536B

MD5
435510266a9cbfe0e66c891ed8ed54ef

SHA1
df392c021f05d5618e7da4c63091214d1ed41cc9

SHA256
fac369bd6c84b3ddedbc3c424a022c83fae0cad284160c35d63c82e1b1b16c6e

SHA512
b968e4c5a0ddca1575089693aa837562e32e13975d1df3d2770952e6ee5da8bf9687644a29eb3f19e6a85b301b69852657289e76d89c30b9722e47a475a195c4

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe

Filesize
1.5MB

MD5
b0eb746d74cb2c12293aff6dd2f4bae9

SHA1
ac581dc387b9b5edea9559e71c0a2531db3e36fc

SHA256
f406ae9028baedb85497c8b4f260ced288ffc5dcf286c23ff8d67fada822e1b3

SHA512
f18fb9d8ec97dfd0f05e32d64144e293321764e31f4df4170236caa8c6817ab1cc31acaf4e52029465862b4edade52a46e7b630b0e64d3d16dba136ee3584294

Download Submit
memory/1332-339-0x000000001BB90000-0x000000001BBA2000-memory.dmp

Filesize
72KB

Download
memory/1824-163-0x00000258CA000000-0x00000258CA022000-memory.dmp

Filesize
136KB

Download
memory/1828-430-0x00000000019A0000-0x00000000019B2000-memory.dmp

Filesize
72KB

Download
memory/1908-305-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/2168-293-0x00000000014D0000-0x00000000014E2000-memory.dmp

Filesize
72KB

Download
memory/2328-14-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/2328-12-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

Filesize
32KB

Download
memory/2328-258-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-1-0x0000000000C80000-0x0000000000DFE000-memory.dmp

Filesize
1.5MB

Download
memory/2328-245-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/2328-25-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-24-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-21-0x000000001C180000-0x000000001C188000-memory.dmp

Filesize
32KB

Download
memory/2328-20-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/2328-18-0x000000001C100000-0x000000001C108000-memory.dmp

Filesize
32KB

Download
memory/2328-16-0x000000001C0E0000-0x000000001C0E8000-memory.dmp

Filesize
32KB

Download
memory/2328-17-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

Filesize
48KB

Download
memory/2328-15-0x000000001C0D0000-0x000000001C0DA000-memory.dmp

Filesize
40KB

Download
memory/2328-0-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/2328-11-0x000000001C090000-0x000000001C0A0000-memory.dmp

Filesize
64KB

Download
memory/2328-2-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-13-0x000000001C0B0000-0x000000001C0BA000-memory.dmp

Filesize
40KB

Download
memory/2328-10-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/2328-8-0x000000001BA50000-0x000000001BA58000-memory.dmp

Filesize
32KB

Download
memory/2328-9-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/2328-6-0x0000000001700000-0x000000000170A000-memory.dmp

Filesize
40KB

Download
memory/2328-7-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/2328-5-0x000000001BA30000-0x000000001BA3C000-memory.dmp

Filesize
48KB

Download
memory/2328-4-0x00000000016E0000-0x00000000016F2000-memory.dmp

Filesize
72KB

Download
memory/2328-3-0x00000000016D0000-0x00000000016D8000-memory.dmp

Filesize
32KB

Download
memory/3200-407-0x00000000019D0000-0x00000000019E2000-memory.dmp

Filesize
72KB

Download
memory/4536-395-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/4784-257-0x0000000000C10000-0x0000000000D8E000-memory.dmp

Filesize
1.5MB

Download
memory/4784-259-0x0000000002ED0000-0x0000000002EE2000-memory.dmp

Filesize
72KB

Download