dcrat | 26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Size

1.5MB
MD5

f91496771d28964b72f434ea6126dfa8
SHA1

a4931a74891db919f9fedac48df224239fd06f6b
SHA256

26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7
SHA512

8395779d39446f35acbf91e20e7ba236a4c2b66ee4a90a75898014855775ccd5038b848ba513d3d28faccbce1738d548a322f25f86dbe794b16423b10049dbc1
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRp:EzhWhCXQFN+0IEuQgyiVKR

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\Windows\\System32\\C_865\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\XInputUap\\fontdrvhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\csrss.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\Windows\\System32\\C_865\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\Windows\\System32\\C_865\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	1504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1504	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1504	schtasks.exe	85

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
3008	powershell.exe
1820	powershell.exe
2444	powershell.exe
4788	powershell.exe
4616	powershell.exe
784	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	winlogon.exe
3812	winlogon.exe
2140	winlogon.exe
1980	winlogon.exe
4240	winlogon.exe
452	winlogon.exe
3300	winlogon.exe
5100	winlogon.exe
3608	winlogon.exe
2360	winlogon.exe
2524	winlogon.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Templates\\csrss.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\C_865\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\XInputUap\\fontdrvhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Templates\\csrss.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\C_865\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\XInputUap\\fontdrvhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\aitstatic\\taskhostw.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\XInputUap\fontdrvhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\aitstatic\ea9f0e6c9e2dcd	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\C_865\5940a34987c991	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\XInputUap\fontdrvhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\C_865\RCXB049.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\C_865\dllhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\XInputUap\RCXB452.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\aitstatic\taskhostw.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\aitstatic\taskhostw.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\C_865\dllhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\XInputUap\5b884080fd4f94	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\aitstatic\RCXA9AE.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXABB3.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\csrss.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\RCXB24D.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1456	schtasks.exe
3764	schtasks.exe
1248	schtasks.exe
1336	schtasks.exe
212	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
4788	powershell.exe
2444	powershell.exe
3008	powershell.exe
4616	powershell.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2368	powershell.exe
3008	powershell.exe
3008	powershell.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
1820	powershell.exe
1820	powershell.exe
784	powershell.exe
784	powershell.exe
1820	powershell.exe
2444	powershell.exe
2444	powershell.exe
4788	powershell.exe
4788	powershell.exe
4616	powershell.exe
4616	powershell.exe
2368	powershell.exe
2368	powershell.exe
2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
784	powershell.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe
3024	winlogon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	3024	winlogon.exe
Token: SeDebugPrivilege	3812	winlogon.exe
Token: SeDebugPrivilege	2140	winlogon.exe
Token: SeDebugPrivilege	1980	winlogon.exe
Token: SeDebugPrivilege	4240	winlogon.exe
Token: SeDebugPrivilege	452	winlogon.exe
Token: SeDebugPrivilege	3300	winlogon.exe
Token: SeDebugPrivilege	5100	winlogon.exe
Token: SeDebugPrivilege	3608	winlogon.exe
Token: SeDebugPrivilege	2360	winlogon.exe
Token: SeDebugPrivilege	2524	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 4616	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	93
PID 2144 wrote to memory of 4616	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	93
PID 2144 wrote to memory of 784	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	94
PID 2144 wrote to memory of 784	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	94
PID 2144 wrote to memory of 2368	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	95
PID 2144 wrote to memory of 2368	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	95
PID 2144 wrote to memory of 3008	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	96
PID 2144 wrote to memory of 3008	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	96
PID 2144 wrote to memory of 1820	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	97
PID 2144 wrote to memory of 1820	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	97
PID 2144 wrote to memory of 2444	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	98
PID 2144 wrote to memory of 2444	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	98
PID 2144 wrote to memory of 4788	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	99
PID 2144 wrote to memory of 4788	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	99
PID 2144 wrote to memory of 3024	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	107
PID 2144 wrote to memory of 3024	2144	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	107
PID 3024 wrote to memory of 4976	3024	winlogon.exe	108
PID 3024 wrote to memory of 4976	3024	winlogon.exe	108
PID 3024 wrote to memory of 2568	3024	winlogon.exe	109
PID 3024 wrote to memory of 2568	3024	winlogon.exe	109
PID 4976 wrote to memory of 3812	4976	WScript.exe	112
PID 4976 wrote to memory of 3812	4976	WScript.exe	112
PID 3812 wrote to memory of 1072	3812	winlogon.exe	115
PID 3812 wrote to memory of 1072	3812	winlogon.exe	115
PID 3812 wrote to memory of 3088	3812	winlogon.exe	116
PID 3812 wrote to memory of 3088	3812	winlogon.exe	116
PID 1072 wrote to memory of 2140	1072	WScript.exe	123
PID 1072 wrote to memory of 2140	1072	WScript.exe	123
PID 2140 wrote to memory of 4484	2140	winlogon.exe	124
PID 2140 wrote to memory of 4484	2140	winlogon.exe	124
PID 2140 wrote to memory of 3016	2140	winlogon.exe	125
PID 2140 wrote to memory of 3016	2140	winlogon.exe	125
PID 4484 wrote to memory of 1980	4484	WScript.exe	129
PID 4484 wrote to memory of 1980	4484	WScript.exe	129
PID 1980 wrote to memory of 3884	1980	winlogon.exe	130
PID 1980 wrote to memory of 3884	1980	winlogon.exe	130
PID 1980 wrote to memory of 3132	1980	winlogon.exe	131
PID 1980 wrote to memory of 3132	1980	winlogon.exe	131
PID 3884 wrote to memory of 4240	3884	WScript.exe	132
PID 3884 wrote to memory of 4240	3884	WScript.exe	132
PID 4240 wrote to memory of 1724	4240	winlogon.exe	133
PID 4240 wrote to memory of 1724	4240	winlogon.exe	133
PID 4240 wrote to memory of 2008	4240	winlogon.exe	134
PID 4240 wrote to memory of 2008	4240	winlogon.exe	134
PID 1724 wrote to memory of 452	1724	WScript.exe	135
PID 1724 wrote to memory of 452	1724	WScript.exe	135
PID 452 wrote to memory of 1476	452	winlogon.exe	136
PID 452 wrote to memory of 1476	452	winlogon.exe	136
PID 452 wrote to memory of 4584	452	winlogon.exe	137
PID 452 wrote to memory of 4584	452	winlogon.exe	137
PID 1476 wrote to memory of 3300	1476	WScript.exe	139
PID 1476 wrote to memory of 3300	1476	WScript.exe	139
PID 3300 wrote to memory of 1152	3300	winlogon.exe	140
PID 3300 wrote to memory of 1152	3300	winlogon.exe	140
PID 3300 wrote to memory of 4816	3300	winlogon.exe	141
PID 3300 wrote to memory of 4816	3300	winlogon.exe	141
PID 1152 wrote to memory of 5100	1152	WScript.exe	142
PID 1152 wrote to memory of 5100	1152	WScript.exe	142
PID 5100 wrote to memory of 1036	5100	winlogon.exe	143
PID 5100 wrote to memory of 1036	5100	winlogon.exe	143
PID 5100 wrote to memory of 2312	5100	winlogon.exe	144
PID 5100 wrote to memory of 2312	5100	winlogon.exe	144
PID 1036 wrote to memory of 3608	1036	WScript.exe	145
PID 1036 wrote to memory of 3608	1036	WScript.exe	145

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
"C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\aitstatic\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_865\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\XInputUap\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0aca9b1-d4de-43e1-b37b-46f6fd558da5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24e097f2-6c81-41c8-9f93-09ff436d5ec1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\953728bc-dfc8-4bfd-945c-e19c14b32a80.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1570df9-b268-4f25-b3ac-fb95f1f1e4f8.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d4332a6-d805-49af-bcc6-d0881d986598.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28fceb3f-0c78-45f4-aea7-050e5db842f2.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7e9796b-db15-427c-a52e-707194d99a8c.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bab1fa1e-86a9-4f54-900e-cfe8e838bc32.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\392e716d-89dc-4753-ad66-c4992476f750.vbs"
        19⤵
        
        PID:4756
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd2f0c0-3886-4284-a209-a2d5b1596f2d.vbs"
        21⤵
        
        PID:1520
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5dd7bf4-c5bf-4751-8452-5c72ace23edf.vbs"
        23⤵
        
        PID:4244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb8f6ba-3752-4d11-9468-b55bce08d5a0.vbs"
        23⤵
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef29541-736e-492e-a233-097f390896e2.vbs"
        21⤵
        
        PID:3280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\921b6b31-fcd9-4ed0-a6cd-a3d4c0f636b2.vbs"
        19⤵
        
        PID:4764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868167bf-60bd-4780-be89-97160c4f2215.vbs"
        17⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8872ad1-1d74-4e29-ab88-338f669f48f3.vbs"
        15⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d80bd459-5643-4a8e-bbea-28c5769ecde4.vbs"
        13⤵
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ed8f4d-11e5-4cda-8bbc-76e0c1f868da.vbs"
        11⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773642a4-ad5d-4fa2-9c30-45dd8f71321c.vbs"
        9⤵
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d5df234-389a-4735-95c8-2aaa7361a853.vbs"
        7⤵
        
        PID:3016
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9c61fae-3251-4377-abe3-bf5d674fb60d.vbs"
        5⤵
        
        PID:3088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d41cc85-9877-4ea3-8cb2-573fc6fba9a4.vbs"
    3⤵
    PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\aitstatic\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\C_865\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\XInputUap\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe

Filesize
1.5MB

MD5
5b2d5c3961181b6d49b8ea838afc3677

SHA1
b8e5f803657f24873235d14beead9d188d8b0b07

SHA256
034d2123d01048ba2ff85799e17776dc57e9b2b65e5dc0e638adbab30f4b72b8

SHA512
6a32eefcd822650854a9cf7da0beede77520a71201f479bae738e81884f04b44831b5e7c9feed39782305d6bf1214449b77d0c00cd8c9b7c051de93c21d1106b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cd2f0c0-3886-4284-a209-a2d5b1596f2d.vbs

Filesize
744B

MD5
94e7b71b295d8cc36ed5131729424ab7

SHA1
6ebcd51c986c305e8cd13b5e3449a5eeaf7ab285

SHA256
2974eacb11e8c8eba29da52f160cc47d9f49e8ab8ee2f62f00845144aba6f5b1

SHA512
aeeda9e293e062d4401d8d409895e7f57612df4312e394097bebcc51c108a69ee7a35f78d0770fa951ff39baa4e35bda2736c3acf51ec60425b82a6760c183b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d41cc85-9877-4ea3-8cb2-573fc6fba9a4.vbs

Filesize
520B

MD5
c9bb3155f01b0aaeccf048bd35eed63c

SHA1
4e6f8fc1fb09571053eb15fe275e679d9631aad0

SHA256
549b31810cf35bba7d2ba691fbfd42f8cb4ff8cfcc19a92d438d365b99e53a81

SHA512
01e06df67d64e17f82a84f63685faf66e154c492b9daa1d8241733769ae38d8ba0f3009c344949af9461fc801b9e3c9c883238d3c29c951db3dff157c3966443

Download Submit
C:\Users\Admin\AppData\Local\Temp\24e097f2-6c81-41c8-9f93-09ff436d5ec1.vbs

Filesize
744B

MD5
1ef207c40c80217ba264f1f4c32ffa3b

SHA1
175be0ca9ad826f37f5f50a3a50ab5b259021b6b

SHA256
d788cffb534a93e2f341ded018ab12db4d2dd87168004527683303e744eb67c6

SHA512
3b0806287ac61c8f03e9560c8aa5360556be7c74ce5e2d441d038852ef5824f2db87422101891b504ee439cbc4ae7f7501471c662379454a2c8c693eb6e20dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\28fceb3f-0c78-45f4-aea7-050e5db842f2.vbs

Filesize
743B

MD5
d440fff25c7e57b37c5412edb3a34b8b

SHA1
4a38024b506e628901a75f2cd64efaf3b7ffcacc

SHA256
aa4150ff8953f35d50479ea08125faadf94a760217e0452c6551f8e68388cf3e

SHA512
815e414aaded834766649a0c119993190054cff6b54f7d493be94f7dce58b102530aa0df29add93683e4c08df37da2e3952288b6d2bf1563d5ab2ca87f8cbec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d4332a6-d805-49af-bcc6-d0881d986598.vbs

Filesize
744B

MD5
5e571017e6e76389a0f7c60822efaa8d

SHA1
38958aa5a181523f808a4485f062ecb69eabbee2

SHA256
5903980c463faf047a13b39fff56c5fdc8ea192db8b06b86d96d1f3df359387c

SHA512
3af4c7a3b0cd5d274a31f3c6a24d48cb2c0ae9b4e3ddf9facc9f7d702a0ad069d84c24ad07c0818f64142e3b79b5b3ac5c88880bf018739fe0a264d35a3c154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\392e716d-89dc-4753-ad66-c4992476f750.vbs

Filesize
744B

MD5
5b01ee83c0568eaae00abdffc4d2a313

SHA1
c075506cdd09ad1a82224b4ae86e7399d6aaf343

SHA256
344f09f5aa4b89c07830ede37d854ce98d44db8a98ec4e516053629f0bc9ea22

SHA512
a4210de109fe567c4b94932db5f5d173d717d552edb216b75366b47d1ee6ef8b2d45c1323ab4b250cb4ca1d4db67272af39c2c1502867e4c069bc4547e201dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\953728bc-dfc8-4bfd-945c-e19c14b32a80.vbs

Filesize
744B

MD5
292efb282b745218936994b622e43774

SHA1
698a2784f16793b69a3d3d37bec74bc11f54fe1c

SHA256
ea617b40b48f0b749822c367f784611ded7cfa0f5681b7b1e86f6b174f746a63

SHA512
d1dcfe5da6427215b555688e5c282e35c77402ed542d824f0b8ee1bb5335f867c97182b20680cccd19035cdc322f897d6d45798a014aeba777363dcf1d17ec33

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1x0gks0.3ht.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bab1fa1e-86a9-4f54-900e-cfe8e838bc32.vbs

Filesize
744B

MD5
3585e1cafb0f18f67a7a83c3ea40fa00

SHA1
0724d8ab8a3d59853abb4d3042c4673d7336c026

SHA256
d830268f21343ab0291779712a89e1e934258b9f284d7faebe92cc1de4804b33

SHA512
d3330c2ffc5d1ac34c941c2e68fa4853534a566c30e77b722ad21707f18b2a7d7ac8bb3be9389eddb78eb56df65905a7fe1d03b0de3f0affc9ed7f3b3452b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7e9796b-db15-427c-a52e-707194d99a8c.vbs

Filesize
744B

MD5
b4530e17b7aa4b04fb0bd252648a913d

SHA1
64d510df5978d1cb182d076c0a3f8479456c89ba

SHA256
ee86918ceff873e230e2953b7fa40a8c757a63e059690e44e70b980b7047a362

SHA512
daa3cb7b24ed36a4b60fa15d2d5ec161eb79fe6bbc1188baaac09f2b3052d6f816b9ed111854a9a43c88ce3116a519edd1b04da4bdbff62a9254bc7d511c618a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5dd7bf4-c5bf-4751-8452-5c72ace23edf.vbs

Filesize
744B

MD5
ae5a50a0016aec7e0150ce7d870877e3

SHA1
32d4f8e75e38fa83e6c45f4bb9197c2a362e120d

SHA256
5c9cef3be361b228fdcc1f55389433a1ce2af72c4fd4c43662d141da8b3917da

SHA512
1a49dc89a990f53ef6caa3872bb0831453e7d0c2c5b61051e8cc73fd28ef751a13c93cce79db1fab8f3fd1739a59124c6fad0c6bb3e211a0443c3941637cd62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0aca9b1-d4de-43e1-b37b-46f6fd558da5.vbs

Filesize
744B

MD5
e0c6b2f5b6450fb83aa52faa6670c229

SHA1
7a370f02c7b8cd27ae29f67338f52e9d81942c6c

SHA256
496bbd788f47c8fcae5ed08c1846936e9f7f2fca8db581de22a39230ee086e94

SHA512
fffc6f6278be3f5c0c38a2e24b38e900077492df6444f78d271e9293af1e69d1d8f4ce56503b5e38c7388b82863b8a076116844c56027473e22abd5890212c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1570df9-b268-4f25-b3ac-fb95f1f1e4f8.vbs

Filesize
744B

MD5
97a896eabefc6b445a65879dd6e015a7

SHA1
9859a11dc8ddb8b6cdab062d14ef3d7b0c00381a

SHA256
6a8b9f12f354cccfaf4375d42431acd2ae129e1e81493e7a4fbba79435c07855

SHA512
5394670f2d62a502726a8f1491f32bb5bfaf0e7a08f4f30f704657a7eb35adb8b233c287c1556804d1ea9f501ef88464499725ffced7630bd523dec9373aa904

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe

Filesize
1.5MB

MD5
f91496771d28964b72f434ea6126dfa8

SHA1
a4931a74891db919f9fedac48df224239fd06f6b

SHA256
26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7

SHA512
8395779d39446f35acbf91e20e7ba236a4c2b66ee4a90a75898014855775ccd5038b848ba513d3d28faccbce1738d548a322f25f86dbe794b16423b10049dbc1

Download Submit
memory/452-281-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/1980-258-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/2140-246-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2144-14-0x0000000002740000-0x000000000274C000-memory.dmp

Filesize
48KB

Download
memory/2144-11-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2144-25-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/2144-1-0x00000000002F0000-0x000000000046E000-memory.dmp

Filesize
1.5MB

Download
memory/2144-205-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/2144-2-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/2144-24-0x00007FFA07DA0000-0x00007FFA08861000-memory.dmp

Filesize
10.8MB

Download
memory/2144-21-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/2144-20-0x000000001B780000-0x000000001B78C000-memory.dmp

Filesize
48KB

Download
memory/2144-18-0x000000001B770000-0x000000001B778000-memory.dmp

Filesize
32KB

Download
memory/2144-17-0x000000001B150000-0x000000001B15C000-memory.dmp

Filesize
48KB

Download
memory/2144-16-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/2144-15-0x000000001B130000-0x000000001B13A000-memory.dmp

Filesize
40KB

Download
memory/2144-0-0x00007FFA07DA3000-0x00007FFA07DA5000-memory.dmp

Filesize
8KB

Download
memory/2144-3-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2144-12-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2144-13-0x0000000002730000-0x000000000273A000-memory.dmp

Filesize
40KB

Download
memory/2144-4-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/2144-10-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2144-8-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2144-9-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/2144-6-0x00000000026B0000-0x00000000026BA000-memory.dmp

Filesize
40KB

Download
memory/2144-7-0x00000000026D0000-0x00000000026DC000-memory.dmp

Filesize
48KB

Download
memory/2144-5-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/2360-329-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/2444-139-0x00000184E5D70000-0x00000184E5D92000-memory.dmp

Filesize
136KB

Download
memory/2524-341-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/3024-206-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3024-204-0x0000000000240000-0x00000000003BE000-memory.dmp

Filesize
1.5MB

Download
memory/3300-293-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/3608-327-0x000000001BB10000-0x000000001BC12000-memory.dmp

Filesize
1.0MB

Download
memory/3812-234-0x0000000001A20000-0x0000000001A32000-memory.dmp

Filesize
72KB

Download
memory/5100-305-0x00000000010A0000-0x00000000010B2000-memory.dmp

Filesize
72KB

Download