dcrat | 774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Size

2.2MB
MD5

889f050ef7bc85238ef3ba17c1ca8530
SHA1

5168769f30a3efbf81ec2174c84d4290882b4c08
SHA256

774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d
SHA512

4a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef
SSDEEP

49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2108	schtasks.exe
		1756	schtasks.exe
		1876	schtasks.exe
		1300	schtasks.exe
		2608	schtasks.exe
		1716	schtasks.exe
		304	schtasks.exe
		1796	schtasks.exe
		1292	schtasks.exe
		2224	schtasks.exe
		292	schtasks.exe
		1316	schtasks.exe
		932	schtasks.exe
		1616	schtasks.exe
		872	schtasks.exe
		1732	schtasks.exe
		1740	schtasks.exe
		1932	schtasks.exe
		2896	schtasks.exe
		2964	schtasks.exe
		1004	schtasks.exe
		2208	schtasks.exe
		2096	schtasks.exe
		1520	schtasks.exe
		1660	schtasks.exe
		2308	schtasks.exe
		572	schtasks.exe
		1728	schtasks.exe
		1272	schtasks.exe
		2908	schtasks.exe
		2432	schtasks.exe
		2136	schtasks.exe
		2168	schtasks.exe
		2416	schtasks.exe
		2152	schtasks.exe
		1376	schtasks.exe
		1132	schtasks.exe
		1696	schtasks.exe
		1476	schtasks.exe
		2216	schtasks.exe
		2900	schtasks.exe
		2132	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
		1148	schtasks.exe
		2916	schtasks.exe
		2260	schtasks.exe
		2420	schtasks.exe
		1804	schtasks.exe
		1624	schtasks.exe
		2580	schtasks.exe
		2812	schtasks.exe
		1004	schtasks.exe
		1940	schtasks.exe
		2932	schtasks.exe
		1424	schtasks.exe
		2432	schtasks.exe
		1048	schtasks.exe
		1668	schtasks.exe
		876	schtasks.exe
		2704	schtasks.exe
		2812	schtasks.exe
		2188	schtasks.exe
		2820	schtasks.exe
		2744	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 30 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\", \"C:\\Users\\Admin\\My Documents\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\", \"C:\\Users\\Admin\\My Documents\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\", \"C:\\Users\\Admin\\My Documents\\lsass.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\Default\\Cookies\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Users\\Admin\\Application Data\\dllhost.exe\", \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Users\\Admin\\Searches\\System.exe\", \"C:\\Windows\\Media\\Sonata\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\wininit.exe\", \"C:\\Users\\Admin\\Downloads\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\", \"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\", \"C:\\Users\\Public\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2648	schtasks.exe	30

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000E60000-0x000000000108E000-memory.dmp	dcrat
behavioral1/files/0x0005000000019650-38.dat	dcrat
behavioral1/files/0x0006000000019b18-103.dat	dcrat
behavioral1/files/0x000a000000019426-126.dat	dcrat
behavioral1/files/0x000b000000019650-161.dat	dcrat
behavioral1/files/0x0011000000019d98-231.dat	dcrat
behavioral1/files/0x000b000000019f77-270.dat	dcrat
behavioral1/memory/1876-292-0x0000000000F40000-0x000000000116E000-memory.dmp	dcrat
behavioral1/memory/2680-350-0x0000000000920000-0x0000000000B4E000-memory.dmp	dcrat
behavioral1/memory/2152-361-0x00000000013A0000-0x00000000015CE000-memory.dmp	dcrat
behavioral1/memory/2976-374-0x00000000003E0000-0x000000000060E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Executes dropped EXE 4 IoCs

pid	Process
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2680	WmiPrvSE.exe
2152	WmiPrvSE.exe
2976	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Application Data\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Searches\\System.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\My Documents\\lsass.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d = "\"C:\\Program Files\\VideoLAN\\VLC\\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d = "\"C:\\Program Files\\VideoLAN\\VLC\\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Searches\\System.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Media\\Sonata\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Uninstall Information\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Cookies\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Downloads\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsm.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\SysWOW64\\pt-PT\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\My Documents\\lsass.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Cookies\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\sppsvc.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Media\\Sonata\\explorer.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\WmiPrvSE.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\services.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Application Data\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Office\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Downloads\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\dllhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\Idle.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Microsoft Office\\wininit.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pt-PT\taskhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Windows\SysWOW64\pt-PT\b75386f1303e64	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\taskhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\it-IT\b75386f1303e64	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\7a0fd90576e088	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\5940a34987c991	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\taskhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8D9F.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX9843.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\taskhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\0a1fd5f707cd16	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXA101.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXA102.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXA374.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXA306.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXA597.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Microsoft Office\wininit.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Microsoft Office\wininit.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\Microsoft Office\56085415360792	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX9842.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Uninstall Information\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Uninstall Information\5940a34987c991	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\VideoLAN\VLC\bb7cefd3a10c61	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\dllhost.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX8703.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXA598.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files\VideoLAN\VLC\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX8704.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8D9E.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Media\Sonata\7a0fd90576e088	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\Media\Sonata\RCX963D.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\Media\Sonata\RCX963E.tmp	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File opened for modification	C:\Windows\Media\Sonata\explorer.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Windows\CSC\v2.0.6\explorer.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
File created	C:\Windows\Media\Sonata\explorer.exe	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1276	schtasks.exe
1132	schtasks.exe
1316	schtasks.exe
2704	schtasks.exe
2468	schtasks.exe
1424	schtasks.exe
2000	schtasks.exe
2964	schtasks.exe
2580	schtasks.exe
2544	schtasks.exe
1696	schtasks.exe
1048	schtasks.exe
2420	schtasks.exe
1668	schtasks.exe
2728	schtasks.exe
2224	schtasks.exe
2748	schtasks.exe
2932	schtasks.exe
964	schtasks.exe
1004	schtasks.exe
1292	schtasks.exe
932	schtasks.exe
1728	schtasks.exe
3052	schtasks.exe
1148	schtasks.exe
876	schtasks.exe
2608	schtasks.exe
2432	schtasks.exe
2820	schtasks.exe
2132	schtasks.exe
2188	schtasks.exe
2416	schtasks.exe
872	schtasks.exe
292	schtasks.exe
1804	schtasks.exe
1300	schtasks.exe
572	schtasks.exe
2348	schtasks.exe
1712	schtasks.exe
2308	schtasks.exe
1932	schtasks.exe
352	schtasks.exe
1416	schtasks.exe
2916	schtasks.exe
628	schtasks.exe
1004	schtasks.exe
304	schtasks.exe
2744	schtasks.exe
984	schtasks.exe
1728	schtasks.exe
2152	schtasks.exe
2884	schtasks.exe
2812	schtasks.exe
1756	schtasks.exe
2168	schtasks.exe
2368	schtasks.exe
1624	schtasks.exe
1376	schtasks.exe
2216	schtasks.exe
2900	schtasks.exe
1740	schtasks.exe
1476	schtasks.exe
2896	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Token: SeDebugPrivilege	1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Token: SeDebugPrivilege	2680	WmiPrvSE.exe
Token: SeDebugPrivilege	2152	WmiPrvSE.exe
Token: SeDebugPrivilege	2976	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2736	2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	85
PID 2684 wrote to memory of 2736	2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	85
PID 2684 wrote to memory of 2736	2684	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	85
PID 2736 wrote to memory of 2276	2736	cmd.exe	87
PID 2736 wrote to memory of 2276	2736	cmd.exe	87
PID 2736 wrote to memory of 2276	2736	cmd.exe	87
PID 2736 wrote to memory of 1876	2736	cmd.exe	88
PID 2736 wrote to memory of 1876	2736	cmd.exe	88
PID 2736 wrote to memory of 1876	2736	cmd.exe	88
PID 1876 wrote to memory of 2260	1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	127
PID 1876 wrote to memory of 2260	1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	127
PID 1876 wrote to memory of 2260	1876	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe	127
PID 2260 wrote to memory of 2792	2260	cmd.exe	129
PID 2260 wrote to memory of 2792	2260	cmd.exe	129
PID 2260 wrote to memory of 2792	2260	cmd.exe	129
PID 2260 wrote to memory of 2680	2260	cmd.exe	130
PID 2260 wrote to memory of 2680	2260	cmd.exe	130
PID 2260 wrote to memory of 2680	2260	cmd.exe	130
PID 2680 wrote to memory of 2096	2680	WmiPrvSE.exe	131
PID 2680 wrote to memory of 2096	2680	WmiPrvSE.exe	131
PID 2680 wrote to memory of 2096	2680	WmiPrvSE.exe	131
PID 2680 wrote to memory of 1476	2680	WmiPrvSE.exe	132
PID 2680 wrote to memory of 1476	2680	WmiPrvSE.exe	132
PID 2680 wrote to memory of 1476	2680	WmiPrvSE.exe	132
PID 2096 wrote to memory of 2152	2096	WScript.exe	133
PID 2096 wrote to memory of 2152	2096	WScript.exe	133
PID 2096 wrote to memory of 2152	2096	WScript.exe	133
PID 2152 wrote to memory of 2820	2152	WmiPrvSE.exe	134
PID 2152 wrote to memory of 2820	2152	WmiPrvSE.exe	134
PID 2152 wrote to memory of 2820	2152	WmiPrvSE.exe	134
PID 2152 wrote to memory of 1596	2152	WmiPrvSE.exe	135
PID 2152 wrote to memory of 1596	2152	WmiPrvSE.exe	135
PID 2152 wrote to memory of 1596	2152	WmiPrvSE.exe	135
PID 2820 wrote to memory of 2976	2820	WScript.exe	136
PID 2820 wrote to memory of 2976	2820	WScript.exe	136
PID 2820 wrote to memory of 2976	2820	WScript.exe	136
PID 2976 wrote to memory of 1536	2976	WmiPrvSE.exe	137
PID 2976 wrote to memory of 1536	2976	WmiPrvSE.exe	137
PID 2976 wrote to memory of 1536	2976	WmiPrvSE.exe	137
PID 2976 wrote to memory of 1248	2976	WmiPrvSE.exe	138
PID 2976 wrote to memory of 1248	2976	WmiPrvSE.exe	138
PID 2976 wrote to memory of 1248	2976	WmiPrvSE.exe	138

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
"C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hrCifyI9nN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe
    "C:\Users\Admin\AppData\Local\Temp\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDmtGaNWVM.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2792
    - - C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2680
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62e8f2c4-aca8-410c-8e5c-7d5568198942.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164a591e-e3fa-438f-b5a9-213ad38d3261.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79baa9da-343a-47f3-8009-208970631454.vbs"
        10⤵
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a31041-982e-438d-bdc5-ce4b1e26bf19.vbs"
        10⤵
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f790b53-5fd2-4236-8ffc-3b87796604a1.vbs"
        8⤵
        
        PID:1596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d9a16e-4e28-4559-b1a8-dc5aa1e97ea6.vbs"
        6⤵
        
        PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Sonata\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Sonata\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\pt-PT\taskhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pt-PT\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\pt-PT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f
1⤵
- DcRat
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- DcRat
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /f
1⤵
- DcRat
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d7" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d7" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe

Filesize
2.2MB

MD5
c78871dfaca1416419f5631fbb33d4c9

SHA1
fe2339540048170d92f8ec5fc3af62e2119573c9

SHA256
ecc5758e23699d1e55d4491f66c5aab56a70d25c07df8073813deb4533048037

SHA512
d811f08410209d7280847bc89fb95ae21115b191a36b57ca8ac30e1f24e00afd4d3d2e97e9d132ff34e681dfe4fb2a09745d24e60604a74bdb8648eb7ecc1f73

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\101b941d020240

Filesize
977B

MD5
68767ca64308d79893e6ea1cb7d25637

SHA1
6e055b6631f8654ee889fd67424842104f7d33a6

SHA256
829e5c5857f2f84e8eacf624ee2bf95d5c09aa87c1dcbd2d58c312560fce1af5

SHA512
b0822fbb3699525bdf99dee9704f4873238e0aea681ea00fdd5ea4b0ebbbdf19704e9feb04bd95121ee13e487f42e9ddf1dc2fb2adae792b8a832a784aba01bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\164a591e-e3fa-438f-b5a9-213ad38d3261.vbs

Filesize
736B

MD5
9606796a0a2303413152d715271e2ba0

SHA1
39c32514c9757186ec846cfc14235b3b4b0ff13b

SHA256
546dfd48348aae5d4d5392edb07816467a8429354c48ae49edb16f7881eaae8f

SHA512
bc612491ed11d952d731fe8b7aa7ec43f3d8a4b71560100a428651574c713b49c9cf3e338716a173868ddc13d37c5561e7a9da6bce8d2f1cc5ee206514f3799b

Download Submit
C:\Users\Admin\AppData\Local\Temp\38d9a16e-4e28-4559-b1a8-dc5aa1e97ea6.vbs

Filesize
512B

MD5
80f841c85b791324662a98810a6c2373

SHA1
afe80fa58c7cfa29d5678afa0a7ae1a199112e80

SHA256
e5a52b51713d97eecc3bceed202d4f4a112b163dae38abda6f5d1354a717eb19

SHA512
fb98b1533e836b1dfa869c0be9d11e590e192f213075a79e4fd21b2b382322fd1d60442d264db806bc82eee86df9a4e63289aba3b87d03b7566e036656384575

Download Submit
C:\Users\Admin\AppData\Local\Temp\62e8f2c4-aca8-410c-8e5c-7d5568198942.vbs

Filesize
736B

MD5
14e7d749237aa64645014bd2d5badcec

SHA1
8ca2a402fe068878c131c42a93c791b0c093c79b

SHA256
969b5e79a1e7629a1e0d0e83ed14dbb2672bd320014956949326a1ab3b6a38f9

SHA512
0a737cb1b54fcf239f379e501db930ed98c2aa39a7e0e8dd4dc7750826ec1b5422a70233d01659be05ff3393df6f42b9a80f2b9fe80a64279a260812c65b1c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\79baa9da-343a-47f3-8009-208970631454.vbs

Filesize
736B

MD5
5f17513b57320753a3320aba639aa002

SHA1
02c94196b34d8054c72f122de92bf13d5ffe5c92

SHA256
f5e4fafe7e39a06268091e48ca9baa4c4706e7310524e54cf7e802118802e539

SHA512
c80b753591226e65bc3f7848600c929976527acb7bcb01d97e856efbd65af1080cc50567b1b7f1b860a7e072795a25457a58b31755102df8dc495660ab11b99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrCifyI9nN.bat

Filesize
267B

MD5
76e0e55a88a66610b8092308860ec81c

SHA1
af450d20f7f628bcdfaaebfa87e345c0d671afc9

SHA256
c38e5082c1976a48710ac831ebf96afe49a0afa601f709c2347406c50d52cd4e

SHA512
b6ca85c1b727f6344f1821740f6dadfe09ae9d1c61d7f5aca848adfef0a0b763dac9bfecafd267d09da99a284419a54b30da121992b7f959d29307399caa56b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDmtGaNWVM.bat

Filesize
225B

MD5
918e99b3248f46fff026647e5fe3cba0

SHA1
7a2d243bb96fd9cee0f508a2f42254b19b9fa182

SHA256
db7b813e6b08ed6560aa3258f0aa36fffa2c546b0a6e72efae27ce431d776f51

SHA512
16788ca516ff55dfc480a5ff4c68ebb4e780fdb432845dc4498ae34d1891358dfb224b1c78cd3b79e6efb79a135745a71dec7d40df0004d23a494f2b4ed355e6

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
2.2MB

MD5
b38c6735645e475a6c2ed89655fee339

SHA1
cfc214ebea586cebb7651a880f4c984b45e6a03a

SHA256
fe3d0f70a1cab78b019dc1d8a5b177626a98a8c2c15b477ef037efa496e5f3ee

SHA512
3604d5210cd412e1efea4aa5473cd672226c5892177f323daec36e80a0ecda76c20d4780a57f0f38cb38ad2139d9fa2208b2b9e269dfe21b6f70ad0caf5b23dd

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\wininit.exe

Filesize
2.2MB

MD5
fb31ad68881b962b6b1beb3087513517

SHA1
0cffd9169ac3b1fbdc1cac9ea92432ded1d3f35e

SHA256
526662e0e04ff2136ed5300c950d6f2712f28e8261d165a7cbc47b7df4eef712

SHA512
914a93dd2cbb00c1cee8e717b6de3a80ee816421c630c0341af11a039aa50b577ec8cc854dd5968bb8c2041bcf461fd94672ec80e14cafccdb7133fb74bd024c

Download Submit
C:\Users\Default\csrss.exe

Filesize
2.2MB

MD5
add874ab3bfec616890cf0c5f4e462b1

SHA1
b221d64beea3ba62385f0be57bbb5af1a34658ef

SHA256
b339fdeb9d762b38096d92b8bccfa880043bd8457d2c3b48b08d1e8c73b1809e

SHA512
e2b7dbe6c518b9c20b74c147b0561ba7fa251f64b0652ea207cc70b0f79037b45708af5f9f1dc8de8db8d6bef2a570b6bf2eaac5ec31ea40c3a4a92696baa6ac

Download Submit
C:\Users\Default\wininit.exe

Filesize
2.2MB

MD5
889f050ef7bc85238ef3ba17c1ca8530

SHA1
5168769f30a3efbf81ec2174c84d4290882b4c08

SHA256
774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d

SHA512
4a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef

Download Submit
C:\Users\Default\wininit.exe

Filesize
2.2MB

MD5
7b2b103738ef3dc2a974986bc2ac5a79

SHA1
c46968e879763ca8c0fdfd9406f51f50ad703008

SHA256
48d5ec415e8a9ecf4a044ba01f9b9b9ea6252855c52dd30faacd9389aeda6d9e

SHA512
464fb233f6c80985756466364e1a9d94d305e9ef97198d1c2aab0dd8b2c82515a9caed4ac44e22a797a2bd6b6ced29b25a17e1ceada6223c8231752d03b60fe0

Download Submit
memory/1876-292-0x0000000000F40000-0x000000000116E000-memory.dmp

Filesize
2.2MB

Download
memory/2152-361-0x00000000013A0000-0x00000000015CE000-memory.dmp

Filesize
2.2MB

Download
memory/2152-362-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2680-350-0x0000000000920000-0x0000000000B4E000-memory.dmp

Filesize
2.2MB

Download
memory/2684-24-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2684-13-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2684-20-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2684-21-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/2684-22-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/2684-23-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/2684-25-0x000000001A920000-0x000000001A92E000-memory.dmp

Filesize
56KB

Download
memory/2684-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2684-26-0x000000001A930000-0x000000001A93C000-memory.dmp

Filesize
48KB

Download
memory/2684-27-0x000000001A940000-0x000000001A948000-memory.dmp

Filesize
32KB

Download
memory/2684-28-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-29-0x000000001A950000-0x000000001A95C000-memory.dmp

Filesize
48KB

Download
memory/2684-18-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2684-16-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2684-15-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/2684-212-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2684-19-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2684-236-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-261-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-12-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2684-11-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/2684-290-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-10-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2684-9-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2684-8-0x0000000000B30000-0x0000000000B46000-memory.dmp

Filesize
88KB

Download
memory/2684-7-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2684-6-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2684-5-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

Filesize
112KB

Download
memory/2684-4-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2684-3-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2684-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000000E60000-0x000000000108E000-memory.dmp

Filesize
2.2MB

Download
memory/2976-374-0x00000000003E0000-0x000000000060E000-memory.dmp

Filesize
2.2MB

Download