dcrat | b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Size

2.2MB
MD5

734f6915b07742d30bc125ff73f87d80
SHA1

f5bbfbc8c5bd6ddb6329c3fca96261c787de0317
SHA256

b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2
SHA512

e9707ef0e75d94bea0c442cffde33aa74748b4c35471e45bab417dc5265f6ddb95e5d8edb55bf347a6a1d4881e50d85a75852f1acedf78a8892f44c708cee579
SSDEEP

49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:sLlK6d3/Nh/bV/Oq3Dxp2RUG

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
1712	schtasks.exe
4240	schtasks.exe
1956	schtasks.exe
2104	schtasks.exe
4032	schtasks.exe
552	schtasks.exe
2512	schtasks.exe
2656	schtasks.exe
4368	schtasks.exe
4132	schtasks.exe
4148	schtasks.exe
1960	schtasks.exe
4688	schtasks.exe
1668	schtasks.exe
4936	schtasks.exe
4076	schtasks.exe
1720	schtasks.exe
2816	schtasks.exe
4704	schtasks.exe
1416	schtasks.exe
2188	schtasks.exe
4028	schtasks.exe
4944	schtasks.exe
2296	schtasks.exe
1112	schtasks.exe
380	schtasks.exe
4484	schtasks.exe
4568	schtasks.exe
4080	schtasks.exe
1908	schtasks.exe
4424	schtasks.exe
5084	schtasks.exe
2544	schtasks.exe
4908	schtasks.exe
3356	schtasks.exe
1668	schtasks.exe
3572	schtasks.exe
4900	schtasks.exe
2072	schtasks.exe
1212	schtasks.exe
3520	schtasks.exe
1980	schtasks.exe
1232	schtasks.exe
2780	schtasks.exe
3500	schtasks.exe
2908	schtasks.exe
4692	schtasks.exe
2308	schtasks.exe
2724	schtasks.exe
3792	schtasks.exe
432	schtasks.exe
4004	schtasks.exe
1640	schtasks.exe
468	schtasks.exe
2348	schtasks.exe
512	schtasks.exe
4820	schtasks.exe
4720	schtasks.exe
3976	schtasks.exe
4452	schtasks.exe
2372	schtasks.exe
4868	schtasks.exe
4996	schtasks.exe
4780	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 23 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1628	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1628	schtasks.exe	86

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3460-1-0x0000000000990000-0x0000000000BBE000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c8b-41.dat	dcrat
behavioral2/files/0x000c000000023c8f-68.dat	dcrat
behavioral2/files/0x000b000000023c7d-91.dat	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Executes dropped EXE 4 IoCs

pid	Process
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
1208	RuntimeBroker.exe
4976	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N = "\"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\sihost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Desktop\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\sihost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Desktop\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N = "\"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\ShellExperiences\\TextInputHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\ShellExperiences\\TextInputHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\upfc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Windows Multimedia Platform\e1ef82546f0b02	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Defender\55b276f4edf653	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Microsoft.NET\5b884080fd4f94	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\winlogon.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Microsoft Office 15\dllhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Microsoft Office 15\5940a34987c991	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Google\Temp\ea1d8f6d871115	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXDB08.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\dllhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Uninstall Information\RuntimeBroker.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\66fc9ff0ee96c2	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\explorer.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXD1AA.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXD1BA.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD866.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Common Files\System\uk-UA\unsecapp.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Common Files\System\uk-UA\29c1c3cc0f7685	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\uk-UA\unsecapp.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Sidebar\explorer.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\upfc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXDB19.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD8E4.tmp	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Program Files\Crashpad\attachments\55b276f4edf653	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GameBarPresenceWriter\upfc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File opened for modification	C:\Windows\ShellExperiences\TextInputHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\GameBarPresenceWriter\upfc.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\GameBarPresenceWriter\ea1d8f6d871115	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\ShellExperiences\TextInputHost.exe	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
File created	C:\Windows\ShellExperiences\22eafd247d37c3	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2072	schtasks.exe
4936	schtasks.exe
2816	schtasks.exe
2780	schtasks.exe
1960	schtasks.exe
1232	schtasks.exe
4032	schtasks.exe
3500	schtasks.exe
4720	schtasks.exe
4692	schtasks.exe
1668	schtasks.exe
3976	schtasks.exe
2544	schtasks.exe
2188	schtasks.exe
3572	schtasks.exe
1956	schtasks.exe
1212	schtasks.exe
1712	schtasks.exe
1720	schtasks.exe
932	schtasks.exe
2656	schtasks.exe
1640	schtasks.exe
4688	schtasks.exe
432	schtasks.exe
4452	schtasks.exe
4424	schtasks.exe
1668	schtasks.exe
1980	schtasks.exe
4820	schtasks.exe
2908	schtasks.exe
3356	schtasks.exe
2372	schtasks.exe
4484	schtasks.exe
4132	schtasks.exe
4996	schtasks.exe
380	schtasks.exe
4780	schtasks.exe
4568	schtasks.exe
3188	schtasks.exe
4900	schtasks.exe
1416	schtasks.exe
1908	schtasks.exe
4368	schtasks.exe
2308	schtasks.exe
4908	schtasks.exe
4868	schtasks.exe
4944	schtasks.exe
3520	schtasks.exe
4076	schtasks.exe
2104	schtasks.exe
1112	schtasks.exe
4080	schtasks.exe
2296	schtasks.exe
4240	schtasks.exe
3108	schtasks.exe
5084	schtasks.exe
4704	schtasks.exe
2552	schtasks.exe
2724	schtasks.exe
3792	schtasks.exe
4028	schtasks.exe
552	schtasks.exe
2512	schtasks.exe
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Token: SeDebugPrivilege	3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Token: SeDebugPrivilege	5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Token: SeDebugPrivilege	1208	RuntimeBroker.exe
Token: SeDebugPrivilege	4976	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3864	3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	102
PID 3460 wrote to memory of 3864	3460	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	102
PID 3864 wrote to memory of 1028	3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	112
PID 3864 wrote to memory of 1028	3864	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	112
PID 1028 wrote to memory of 3732	1028	cmd.exe	114
PID 1028 wrote to memory of 3732	1028	cmd.exe	114
PID 1028 wrote to memory of 5060	1028	cmd.exe	115
PID 1028 wrote to memory of 5060	1028	cmd.exe	115
PID 5060 wrote to memory of 1396	5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	161
PID 5060 wrote to memory of 1396	5060	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe	161
PID 1396 wrote to memory of 788	1396	cmd.exe	163
PID 1396 wrote to memory of 788	1396	cmd.exe	163
PID 1396 wrote to memory of 1208	1396	cmd.exe	165
PID 1396 wrote to memory of 1208	1396	cmd.exe	165
PID 1208 wrote to memory of 2364	1208	RuntimeBroker.exe	166
PID 1208 wrote to memory of 2364	1208	RuntimeBroker.exe	166
PID 1208 wrote to memory of 1032	1208	RuntimeBroker.exe	167
PID 1208 wrote to memory of 1032	1208	RuntimeBroker.exe	167
PID 2364 wrote to memory of 4976	2364	WScript.exe	169
PID 2364 wrote to memory of 4976	2364	WScript.exe	169
PID 4976 wrote to memory of 872	4976	RuntimeBroker.exe	170
PID 4976 wrote to memory of 872	4976	RuntimeBroker.exe	170
PID 4976 wrote to memory of 2136	4976	RuntimeBroker.exe	171
PID 4976 wrote to memory of 2136	4976	RuntimeBroker.exe	171

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
"C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3460
- C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
  "C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MorhJGzBLt.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
      "C:\Users\Admin\AppData\Local\Temp\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4fMT0wY0n5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:788
      - C:\Program Files\Uninstall Information\RuntimeBroker.exe
        
        "C:\Program Files\Uninstall Information\RuntimeBroker.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\224c73fd-408c-49bc-aa6b-1f75589f1d39.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Program Files\Uninstall Information\RuntimeBroker.exe
        
        "C:\Program Files\Uninstall Information\RuntimeBroker.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3704952-29d0-4136-845e-1cb6ae5c5fb0.vbs"
        9⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd15bc1b-8ca5-4030-96dd-0b3d96324d30.vbs"
        9⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9ebc67b-a1ad-4f3e-9ce4-b5e63e43b12f.vbs"
        7⤵
        
        PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2Nb" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2Nb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\IdentityCRL\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Desktop\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\upfc.exe

Filesize
2.2MB

MD5
a349b1a85ddfc9e3aa6806ad12dc0b6d

SHA1
5824e574e20de6907d81e2a247bfafc40541dd92

SHA256
10e86ccc4e4ca02f5d3e2151641acf5fff21ec5a369da9210937dea5e2e3d27b

SHA512
5b4b6ec83481607702b4da6df113dbecace8b44593f404ee07c72e09551611a96573693987c85f9bde8aa707a429e563941a63cbd55ff3ec68489b1a215838e8

Download Submit
C:\Program Files\Microsoft Office 15\dllhost.exe

Filesize
2.2MB

MD5
734f6915b07742d30bc125ff73f87d80

SHA1
f5bbfbc8c5bd6ddb6329c3fca96261c787de0317

SHA256
b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2

SHA512
e9707ef0e75d94bea0c442cffde33aa74748b4c35471e45bab417dc5265f6ddb95e5d8edb55bf347a6a1d4881e50d85a75852f1acedf78a8892f44c708cee579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Temp\224c73fd-408c-49bc-aa6b-1f75589f1d39.vbs

Filesize
732B

MD5
c9efe605955f7fa5c1d4a18448de7901

SHA1
c710bf2497069da6132b336b50bc0f1980b945c5

SHA256
431f3c546f036f86af87e1769824c6090b2593198164edd7223f0678aaf2388c

SHA512
70102e0c2ab58632cf0140e9910c3b1bdef45fb52d48b1d2285c9a3e1a7e4e48c608a670589f43a2c9a9301b1ca02a8e2f320dd1fb825fbf4900ce68a53c514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fMT0wY0n5.bat

Filesize
221B

MD5
a10dd7e9e5f1d5925785c091fd0cf49b

SHA1
8281425d358275181e4307a3fec6ae4a7b52cc1d

SHA256
43ff523e124ffa646e03f9486f6ee70770d1ba992e826fea49a6b2d0dc5a7931

SHA512
5578eddaac25a1047f02410dc3f01f3fe0b8b3ee74cde27049b9eba5b1c13b3aa7381d2a3bf22b5b6924eb56d00d4ec67a3694188d221ddb4bd2583bf52c82ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MorhJGzBLt.bat

Filesize
268B

MD5
d2bfc8d55e535cfc7e9619226299a7b1

SHA1
b53aae4058a55ce16f4bd475c0033fd8d923487f

SHA256
4fb7777b7c96dca1d61a8cec433efc60befe1f8066fa06605a2f9bbfa6686c9c

SHA512
21a33bba97285c1f57fe0598a66fd014905221df36f81830e1263c983ff220d8962020e3ebccf8a497cd7e62b45c04cb80e8dd272d842e80eb8491b48bd23c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3704952-29d0-4136-845e-1cb6ae5c5fb0.vbs

Filesize
732B

MD5
e0f41232475d9c2243064774543ba30d

SHA1
95922354cde2d5d049386b3d3204c77da54922ff

SHA256
260bd73326f71b3603e6de20dc60e56179ede50631ebf85123c636d739c794d7

SHA512
cee81aba07870218fb77adacdeb9f2e98d78da75b87d1215cfe8f9484b580be022df47f70211b8c991bfdcce1f2c0214f4400dda1b4de7fa0d230a10905e4b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9ebc67b-a1ad-4f3e-9ce4-b5e63e43b12f.vbs

Filesize
508B

MD5
e3b161d97682611344f525b99f9b47f5

SHA1
0a09bacf63833cbce4c63ce033b6903a31d56f83

SHA256
403783a66613d76b6af86e7a1415734a17a56f5aea35dc3c7c5821c53f33f738

SHA512
d4f3788b4f2291f428c65b46ee4b06b3e5edca6391f16bf0dce27a2fbb0bb07b73b4cb2d8ccadd31a759ecff94717a6752da1923dded25ffeec21245750e852a

Download Submit
C:\Users\Public\fontdrvhost.exe

Filesize
2.2MB

MD5
e677857a199eae23231e1f3ae029165e

SHA1
21f094738c1cb869de06cfa8d1418a92e6386e5b

SHA256
ad5b6303264eb7bb9910659d2d4d184d3eaf20033d36b22c32965b18b8076dac

SHA512
74a4cef2924ebd2ccbbe5a49d7e2d9c2df8ffeee4c3ab6461585aa7940722d6e5ae9ca1a74dd9a0eac1458d4e45784d0551adfef47711251577d16d90d5513e8

Download Submit
memory/3460-21-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/3460-29-0x000000001C120000-0x000000001C128000-memory.dmp

Filesize
32KB

Download
memory/3460-12-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/3460-13-0x000000001C020000-0x000000001C02A000-memory.dmp

Filesize
40KB

Download
memory/3460-14-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/3460-15-0x000000001C040000-0x000000001C048000-memory.dmp

Filesize
32KB

Download
memory/3460-16-0x000000001C050000-0x000000001C05C000-memory.dmp

Filesize
48KB

Download
memory/3460-17-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/3460-19-0x000000001C070000-0x000000001C082000-memory.dmp

Filesize
72KB

Download
memory/3460-20-0x000000001C680000-0x000000001CBA8000-memory.dmp

Filesize
5.2MB

Download
memory/3460-0-0x00007FFF394F3000-0x00007FFF394F5000-memory.dmp

Filesize
8KB

Download
memory/3460-22-0x000000001C0B0000-0x000000001C0BC000-memory.dmp

Filesize
48KB

Download
memory/3460-23-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/3460-28-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/3460-25-0x000000001C0E0000-0x000000001C0EE000-memory.dmp

Filesize
56KB

Download
memory/3460-24-0x000000001C0D0000-0x000000001C0DA000-memory.dmp

Filesize
40KB

Download
memory/3460-30-0x00007FFF394F0000-0x00007FFF39FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-11-0x000000001B840000-0x000000001B848000-memory.dmp

Filesize
32KB

Download
memory/3460-34-0x00007FFF394F0000-0x00007FFF39FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-31-0x000000001C130000-0x000000001C13C000-memory.dmp

Filesize
48KB

Download
memory/3460-27-0x000000001C100000-0x000000001C10E000-memory.dmp

Filesize
56KB

Download
memory/3460-26-0x000000001C0F0000-0x000000001C0F8000-memory.dmp

Filesize
32KB

Download
memory/3460-10-0x000000001B830000-0x000000001B83C000-memory.dmp

Filesize
48KB

Download
memory/3460-9-0x000000001B810000-0x000000001B826000-memory.dmp

Filesize
88KB

Download
memory/3460-6-0x000000001BFD0000-0x000000001C020000-memory.dmp

Filesize
320KB

Download
memory/3460-109-0x00007FFF394F0000-0x00007FFF39FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-7-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

Filesize
32KB

Download
memory/3460-8-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/3460-5-0x000000001B7E0000-0x000000001B7FC000-memory.dmp

Filesize
112KB

Download
memory/3460-4-0x0000000002D40000-0x0000000002D4E000-memory.dmp

Filesize
56KB

Download
memory/3460-3-0x0000000002D30000-0x0000000002D3E000-memory.dmp

Filesize
56KB

Download
memory/3460-2-0x00007FFF394F0000-0x00007FFF39FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-1-0x0000000000990000-0x0000000000BBE000-memory.dmp

Filesize
2.2MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Users\\Public\\Documents\\My Videos\\b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\WindowsHolographicDevices\\winlogon.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\uk-UA\\unsecapp.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fontdrvhost.exe\", \"C:\\Windows\\GameBarPresenceWriter\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\Windows\\ShellExperiences\\TextInputHost.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\services.exe\", \"C:\\Users\\Default\\Desktop\\Registry.exe\", \"C:\\Program Files\\Crashpad\\attachments\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\sihost.exe\""	b0997cf70abbd1e112010f380df1a977ab85f38d6c410147fb65a5674b2f6be2N.exe