dcrat | 83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Size

1.1MB
MD5

1a6a898a0abfa818a97e0c741f62a651
SHA1

e64e7fa94a829b00de8d7a9442745f1fccfd4d26
SHA256

6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561
SHA512

d659ce4b692548eb33283398b8065296a7fb251865734c0b6269b1618999c8da7cef528a0644e9ca83a89b5c194ca44de3b8ff34e77abc0c221756f0ce2ef9ca
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		772	schtasks.exe
		2552	schtasks.exe
		3404	schtasks.exe
		4752	schtasks.exe
		3928	schtasks.exe
		3756	schtasks.exe
		3512	schtasks.exe
		744	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
		1712	schtasks.exe
		2056	schtasks.exe
		2156	schtasks.exe
		4824	schtasks.exe
		2116	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\", \"C:\\Windows\\System32\\dpapiprovider\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\", \"C:\\Windows\\System32\\dpapiprovider\\backgroundTaskHost.exe\", \"C:\\Users\\Default User\\dllhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Documents and Settings\\upfc.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\", \"C:\\Windows\\System32\\dpapiprovider\\backgroundTaskHost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\System32\\SensorService\\fontdrvhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\ProgramData\\Application Data\\csrss.exe\", \"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Documents and Settings\\upfc.exe\", \"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2416	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2416	schtasks.exe	88

UAC bypass 3 TTPs 57 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe
2584	powershell.exe
3868	powershell.exe
2408	powershell.exe
4048	powershell.exe
644	powershell.exe
2960	powershell.exe
3472	powershell.exe
2448	powershell.exe
1752	powershell.exe
3188	powershell.exe
4036	powershell.exe
4792	powershell.exe
4904	powershell.exe
1076	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Executes dropped EXE 18 IoCs

pid	Process
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
3904	backgroundTaskHost.exe
644	backgroundTaskHost.exe
3104	backgroundTaskHost.exe
4556	backgroundTaskHost.exe
1328	backgroundTaskHost.exe
1660	backgroundTaskHost.exe
1048	backgroundTaskHost.exe
1536	backgroundTaskHost.exe
612	backgroundTaskHost.exe
3836	backgroundTaskHost.exe
2064	backgroundTaskHost.exe
2476	backgroundTaskHost.exe
3488	backgroundTaskHost.exe
2116	backgroundTaskHost.exe
1872	backgroundTaskHost.exe
2340	backgroundTaskHost.exe
3112	backgroundTaskHost.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SensorService\\fontdrvhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Application Data\\csrss.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Documents and Settings\\upfc.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\dpapiprovider\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Application Data\\csrss.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\DefaultSettings\\SearchApp.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Documents and Settings\\upfc.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\dpapiprovider\\backgroundTaskHost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RmClient\\RuntimeBroker.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\lsass.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\Windows.Internal.Graphics.Display.DisplayColorManagement\\conhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SensorService\\fontdrvhost.exe\""	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\dpapiprovider\backgroundTaskHost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\dpapiprovider\eddb19405b7ce1	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement\conhost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\System32\dpapiprovider\backgroundTaskHost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\RmClient\RuntimeBroker.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\System32\RmClient\RCX274F.tmp	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\SensorService\fontdrvhost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\SensorService\5b884080fd4f94	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\System32\SensorService\fontdrvhost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\RmClient\9e8d7a4ca61bd9	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\System32\RmClient\RuntimeBroker.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement\conhost.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement\088424020bedd6	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\6203df4a6bafc7	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\38384e6a620884	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\RCX29C1.tmp	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4824	schtasks.exe
2116	schtasks.exe
2552	schtasks.exe
2056	schtasks.exe
4752	schtasks.exe
772	schtasks.exe
3756	schtasks.exe
2156	schtasks.exe
3512	schtasks.exe
744	schtasks.exe
1712	schtasks.exe
3404	schtasks.exe
3928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
4036	powershell.exe
4036	powershell.exe
2960	powershell.exe
2960	powershell.exe
2408	powershell.exe
2408	powershell.exe
3868	powershell.exe
3868	powershell.exe
3188	powershell.exe
3188	powershell.exe
3472	powershell.exe
3472	powershell.exe
4792	powershell.exe
4792	powershell.exe
3472	powershell.exe
2960	powershell.exe
3188	powershell.exe
3868	powershell.exe
4036	powershell.exe
2408	powershell.exe
4792	powershell.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
644	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3904	backgroundTaskHost.exe
Token: SeDebugPrivilege	644	backgroundTaskHost.exe
Token: SeDebugPrivilege	3104	backgroundTaskHost.exe
Token: SeDebugPrivilege	4556	backgroundTaskHost.exe
Token: SeDebugPrivilege	1328	backgroundTaskHost.exe
Token: SeDebugPrivilege	1660	backgroundTaskHost.exe
Token: SeDebugPrivilege	1048	backgroundTaskHost.exe
Token: SeDebugPrivilege	1536	backgroundTaskHost.exe
Token: SeDebugPrivilege	612	backgroundTaskHost.exe
Token: SeDebugPrivilege	3836	backgroundTaskHost.exe
Token: SeDebugPrivilege	2064	backgroundTaskHost.exe
Token: SeDebugPrivilege	2476	backgroundTaskHost.exe
Token: SeDebugPrivilege	3488	backgroundTaskHost.exe
Token: SeDebugPrivilege	2116	backgroundTaskHost.exe
Token: SeDebugPrivilege	1872	backgroundTaskHost.exe
Token: SeDebugPrivilege	2340	backgroundTaskHost.exe
Token: SeDebugPrivilege	3112	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3472	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	98
PID 2004 wrote to memory of 3472	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	98
PID 2004 wrote to memory of 4792	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	99
PID 2004 wrote to memory of 4792	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	99
PID 2004 wrote to memory of 4036	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	100
PID 2004 wrote to memory of 4036	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	100
PID 2004 wrote to memory of 3188	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	101
PID 2004 wrote to memory of 3188	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	101
PID 2004 wrote to memory of 2960	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	102
PID 2004 wrote to memory of 2960	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	102
PID 2004 wrote to memory of 2408	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	103
PID 2004 wrote to memory of 2408	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	103
PID 2004 wrote to memory of 3868	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	104
PID 2004 wrote to memory of 3868	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	104
PID 2004 wrote to memory of 1576	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	112
PID 2004 wrote to memory of 1576	2004	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	112
PID 1576 wrote to memory of 4580	1576	cmd.exe	114
PID 1576 wrote to memory of 4580	1576	cmd.exe	114
PID 1576 wrote to memory of 1592	1576	cmd.exe	118
PID 1576 wrote to memory of 1592	1576	cmd.exe	118
PID 1592 wrote to memory of 2448	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	126
PID 1592 wrote to memory of 2448	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	126
PID 1592 wrote to memory of 2948	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	127
PID 1592 wrote to memory of 2948	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	127
PID 1592 wrote to memory of 4048	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	128
PID 1592 wrote to memory of 4048	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	128
PID 1592 wrote to memory of 4904	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	129
PID 1592 wrote to memory of 4904	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	129
PID 1592 wrote to memory of 1752	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	130
PID 1592 wrote to memory of 1752	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	130
PID 1592 wrote to memory of 2584	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	131
PID 1592 wrote to memory of 2584	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	131
PID 1592 wrote to memory of 644	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	132
PID 1592 wrote to memory of 644	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	132
PID 1592 wrote to memory of 1076	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	133
PID 1592 wrote to memory of 1076	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	133
PID 1592 wrote to memory of 1616	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	142
PID 1592 wrote to memory of 1616	1592	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe	142
PID 1616 wrote to memory of 3008	1616	cmd.exe	144
PID 1616 wrote to memory of 3008	1616	cmd.exe	144
PID 1616 wrote to memory of 3904	1616	cmd.exe	145
PID 1616 wrote to memory of 3904	1616	cmd.exe	145
PID 3904 wrote to memory of 452	3904	backgroundTaskHost.exe	146
PID 3904 wrote to memory of 452	3904	backgroundTaskHost.exe	146
PID 3904 wrote to memory of 4736	3904	backgroundTaskHost.exe	147
PID 3904 wrote to memory of 4736	3904	backgroundTaskHost.exe	147
PID 452 wrote to memory of 644	452	WScript.exe	148
PID 452 wrote to memory of 644	452	WScript.exe	148
PID 644 wrote to memory of 3220	644	backgroundTaskHost.exe	150
PID 644 wrote to memory of 3220	644	backgroundTaskHost.exe	150
PID 644 wrote to memory of 4792	644	backgroundTaskHost.exe	151
PID 644 wrote to memory of 4792	644	backgroundTaskHost.exe	151
PID 3220 wrote to memory of 3104	3220	WScript.exe	153
PID 3220 wrote to memory of 3104	3220	WScript.exe	153
PID 3104 wrote to memory of 3756	3104	backgroundTaskHost.exe	154
PID 3104 wrote to memory of 3756	3104	backgroundTaskHost.exe	154
PID 3104 wrote to memory of 2620	3104	backgroundTaskHost.exe	155
PID 3104 wrote to memory of 2620	3104	backgroundTaskHost.exe	155
PID 3756 wrote to memory of 4556	3756	WScript.exe	156
PID 3756 wrote to memory of 4556	3756	WScript.exe	156
PID 4556 wrote to memory of 920	4556	backgroundTaskHost.exe	157
PID 4556 wrote to memory of 920	4556	backgroundTaskHost.exe	157
PID 4556 wrote to memory of 3576	4556	backgroundTaskHost.exe	158
PID 4556 wrote to memory of 3576	4556	backgroundTaskHost.exe	158

System policy modification 1 TTPs 57 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
"C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Application Data\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\RmClient\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CpiVCPGEhG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe
    "C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\upfc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dpapiprovider\backgroundTaskHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SensorService\fontdrvhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o6dvlEjTCw.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3008
    - - C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacdae21-8592-4efe-8ac2-20d313ed1580.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ccf036-732e-42ff-9094-1e1db8c28ebd.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e885b53-4c64-4d02-85b6-b413e43dbaf2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea4a8590-6bf1-4211-9ed6-b0ffa82b7183.vbs"
        12⤵
        
        PID:920
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ab3726-443b-4ec3-ab89-f091137fe60a.vbs"
        14⤵
        
        PID:1940
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aeceba6-9d11-4950-8f55-0bffc6b045fb.vbs"
        16⤵
        
        PID:3504
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2512b4-e7ac-4b19-8904-dd3611b06c64.vbs"
        18⤵
        
        PID:3868
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6708e8a0-bd74-498b-877c-db73a140333d.vbs"
        20⤵
        
        PID:3292
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\162a04ea-fef5-4ba6-bb44-419602150097.vbs"
        22⤵
        
        PID:400
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbdf885-6f17-4263-9fb9-8d95b80fbc5e.vbs"
        24⤵
        
        PID:1548
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\704414ef-081e-4039-b83e-0086df6a40ea.vbs"
        26⤵
        
        PID:4000
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175a8830-70f9-4363-9693-466ae1d23829.vbs"
        28⤵
        
        PID:4488
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaa8499d-b652-43fe-9b74-31a9e5ff376f.vbs"
        30⤵
        
        PID:1212
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cb9c6a-3c6c-4e8f-aa0a-7fa2fd83ce57.vbs"
        32⤵
        
        PID:3348
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660c6932-c75a-43ac-9a1a-c4b3adf598c1.vbs"
        34⤵
        
        PID:2756
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c7cf8f-5bab-422a-8785-39ddcf504fa5.vbs"
        36⤵
        
        PID:3968
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        37⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00fa5f71-8a85-43cd-9e6b-2f4da1b97eca.vbs"
        38⤵
        
        PID:4160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a60eb58-5621-4f2e-bd49-7866a712ec39.vbs"
        38⤵
        
        PID:4484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4050c920-dbbd-4eb3-acbd-137060884078.vbs"
        36⤵
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb7748ca-4aff-4d32-8db2-4f4788a47e63.vbs"
        34⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7a16cd8-f498-4777-939b-53caadb5fb37.vbs"
        32⤵
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c189b6-43f5-45c6-a5c9-6c51db55b3cd.vbs"
        30⤵
        
        PID:4088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02aab87-1554-481b-ad44-d879292f57ed.vbs"
        28⤵
        
        PID:3336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5907e5a0-be6c-4145-a446-0a16e510703d.vbs"
        26⤵
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35179376-7fc3-415d-8c1c-08605146d05a.vbs"
        24⤵
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\759cca90-5831-4293-bd7f-90031c190caa.vbs"
        22⤵
        
        PID:3768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b7b1ed3-de0e-4055-aa0d-2ebd57194c23.vbs"
        20⤵
        
        PID:3660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28afe641-e608-48c5-a674-e83fbee654be.vbs"
        18⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d25fa71-775a-4ecb-9034-f095cc5c46eb.vbs"
        16⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a9c749-a3fd-4df4-9b31-0a8885f1f8be.vbs"
        14⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\786abc34-8641-4f6b-9fd6-8f0911911628.vbs"
        12⤵
        
        PID:3576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec6c884-a0fa-47d8-a17a-493f53f585db.vbs"
        10⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f9585c-e2a3-4683-a7ef-892886495d04.vbs"
        8⤵
        
        PID:4792
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca904f18-7906-4986-bdf0-09ef2933d985.vbs"
        6⤵
        
        PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\RmClient\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\DefaultSettings\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.Graphics.Display.DisplayColorManagement\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\dpapiprovider\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SensorService\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
612B

MD5
11450b30660aa0b52cef6644b431f9f8

SHA1
0ab429489cc5a44005760243dfc5247a00906271

SHA256
c078adf61868345b58524c5da11861dc56bd5f004e1a4911de2093b21263156c

SHA512
9d2fffc9555681e14bade76c44dd3e70ced9bb051dab2d79a75d83cb3f25b34ece1f1e8b0b48bfbedbceb94c3576cefd49d8767b0b64706248f6c03258076941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4884c5267263cd4ca424395bd689dc91

SHA1
3b75a916cc74a9639aea572341bf9d4e8791d79a

SHA256
8fa0f41da8f1c8adc5ab7fbbf6d0c88a44246ddc0287d3e254f662fc28367dab

SHA512
b6a597c2c3f9bb979eb43066e466086f05c60bcd6049faad66a2240f73ba4d6834ecb150cf4e3e099464e7528850cfdbf0b8ec344948b611996418536cf115c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e2512b4-e7ac-4b19-8904-dd3611b06c64.vbs

Filesize
720B

MD5
658c20ed6c0c2e66c6e5a9c0f9001c85

SHA1
e7cd11d026266dd505b9c99adc9c19a14d2dcdc2

SHA256
8c765e84a40258ef38ef074b3ea90ed1e1221760b13535fa2d1cbf3d40f1e7ae

SHA512
92e174bc117e3718e2cdbb94581c8a1df1934abe64e8654fd1b8a9281a0fcdeba9a4452f2ac078ec1f4728442f208972706448b1a8b08528a820d670ad44e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\162a04ea-fef5-4ba6-bb44-419602150097.vbs

Filesize
719B

MD5
293fb49c152cfed3fe23608b107fba84

SHA1
b7c1c5a15de9208837d603940b4112ce53aca47d

SHA256
47bd3c0bb83f750270b0cccc43caa432c59489009b7bcdef8af6d2da3b21151c

SHA512
115dfd1a27a163119335c7bf9af3a57bc3943ba32130c93c8caaa641f8ff4aa93de5f68d126d63330623dd18af0d28dd9dd5e4d8e585dc6a9a1d0ae89a4b9dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aeceba6-9d11-4950-8f55-0bffc6b045fb.vbs

Filesize
720B

MD5
a06fed9703a6a4d8d35021b60429da01

SHA1
99fa154632918e63ac3fe299673fb02c81f0734f

SHA256
2d184a5d0813fa5ee5d8960a2686eba1bbd9bc3368d47c77a9fb3dc28389742e

SHA512
774d21fc9bb37b05430a3f82382829b656d02f519a7c81c8ef5bd1ba889093057a5ece1bc0eb7fed02ae2ce8b499b383de962efbe5af7009086cfeb598e1764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e885b53-4c64-4d02-85b6-b413e43dbaf2.vbs

Filesize
720B

MD5
92dce4b6b5320da7eb261d74438cb59c

SHA1
840378f21a8e3af20c7b65cffc8815e9d12df785

SHA256
9ec357d65b439edf3a0c8079946013c641a669e92d0f90292e3667c37f620b0f

SHA512
17a9668d3437c48831425030a25fa8243f734ee448a7362268308e73b8dce3994b9233acda29a6beb04512a7effddff3b7ac91eb6cc77b8aaadf9edf47cca222

Download Submit
C:\Users\Admin\AppData\Local\Temp\6708e8a0-bd74-498b-877c-db73a140333d.vbs

Filesize
720B

MD5
ad58d036ab45a3be5f78dbf68e620cda

SHA1
3b2bd111f57e111608d82a9f3de4b56ccc4b963a

SHA256
7ab96d2ba9eaa8a402bc3edac0cbfdafd4bcbc23a291300629696920eea601da

SHA512
d4245b2402a7ad27f11daae00e3b81d0ea0d2d534f7051511c17a8baf8fd6d95d199f4c6bc30fdcdc8fad896f0de0e1db12a2a63df80d95e48ceba7b1c5610ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\704414ef-081e-4039-b83e-0086df6a40ea.vbs

Filesize
720B

MD5
a12c13f8d6c72594f71ca30e9a888709

SHA1
f6316126823f42288123f529df5df06eb3c57298

SHA256
8dab4504cdec4ab439ced577ff8224606b5b7f951e9e816daa349d1af9af0dc7

SHA512
5e6de7450f544d5bccf43f83e43e5604d651bd8248d748c436ebb3d4e7b2a7e3ec69654278d7bda36b5ea8ebd46c3ed4bd4cac1d6af5b1f6151dcb880784c199

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpiVCPGEhG.bat

Filesize
266B

MD5
8fa1e979ca7c62328b80fe6281cb5dc6

SHA1
1fdf276207b36a267c78c12517093029d006b425

SHA256
1eb9d6801a9112fce4064fcc229f08e58bd40f5426cc6393b5ff0ec05c4020db

SHA512
24690c7b4bd06142cee787d6d4edbc3775eeb6ecbd406f82eef27e984229d3575774cca5df1cb46be1e25b819690efde9bd68e090462f3df9f38793c17046965

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bnftgc1.w5c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8ccf036-732e-42ff-9094-1e1db8c28ebd.vbs

Filesize
719B

MD5
398c5a3a05e0a9e9ffd51c3381d7387e

SHA1
decfb571c75cd302c2984512c49cbcfc06412377

SHA256
bc0c5948f3cf061f4648ad10385bd85dbe718a23c1e7fb95da4a1c796548a9ea

SHA512
78b98f2891c21dcca285fee0b9cb3e89dac206060fc0704948e16b73510186518a13b1ffd93bcc8f150d9588fd707ff04b0a6ef90d7c6c3ed762ed63a382615f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6ab3726-443b-4ec3-ab89-f091137fe60a.vbs

Filesize
720B

MD5
df4874c3ad2dfb3ae1deb4a770c44e15

SHA1
ef53adcf1be5d602fba826e9003c4f9b559472ee

SHA256
9ca49ebe30650768d134c474c86ebc7fd05859b37d0be50162f508af3e4820f9

SHA512
240f74ba14de162333901ab146e6497d32e4171ebbf6081ca81e1ebd2e58522e4f121286bb3946f149a797594fe2a3c1634d334296e5ceb1b081a2bedbb3f870

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca904f18-7906-4986-bdf0-09ef2933d985.vbs

Filesize
496B

MD5
24f38bfc5dbb0554ba45823666e1eda9

SHA1
604f88dd37fe3cdc4a68daa8a125a951313ce3ea

SHA256
3beaec505abee2b6165684b12c3e2670ed8ffbf75f9e275540f99d0bec666ba2

SHA512
287a4656f59320207223c9911a4af32813f0760b0c5cf21a6713cf807e9157e28d7b261ed0df5d3ca707194462dbb666e7950dfda1172cb24fd677beaa3e02f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacdae21-8592-4efe-8ac2-20d313ed1580.vbs

Filesize
720B

MD5
601072114d36e8b2d3243f96d35aa7f3

SHA1
da4d2ce52c1c1d2d22222bcaddd3c8f22336a99a

SHA256
19fbb20cdaf361ad9856ca3d5722e8342841bc1f726a154f8903d520352ad664

SHA512
329b9e416bcab8a3394045d5889953410782cb151f6735a624497e854ac6d4d1d061c7dd4972f97b6ea084b8959428204bedb64de05e5b802d08775ae6555b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea4a8590-6bf1-4211-9ed6-b0ffa82b7183.vbs

Filesize
720B

MD5
8694938b0d60f94e3b181f0cdc26c94c

SHA1
37d2f1de8297e0f00c9ab365a349ee012763829c

SHA256
000b775db7c341c05870369ed090f63141d641a5b3cc05f52b9112084a54df48

SHA512
de4617ec2baa3389775af6964914b89c8ec8c89b4039c202236aa4815c244e7115af7ae9f2d8bd4c2d4298b3c22248450878d092ec93871c8ecc8ed3d887a5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
688B

MD5
647cd2d36561177c99cc39cf9efc2d8e

SHA1
5f821a9f6a79cb808b0fe98b80e31caf53e8b1df

SHA256
224ef8896af3fe1a827ad0e57e22fdb4385c059a9b7a3e3b87a15e278f7cc5d3

SHA512
70371d659dd208fbd506ea81ce4a3cd6e4c5a74e619eb73b07f9a97172d4271567c5241a374e1d5f246bf98638b8eec9806051803dccbd05efe5df4522cd26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6dvlEjTCw.bat

Filesize
208B

MD5
95c6cf4f72c789e582bf8cb84268efd6

SHA1
816cdad7d2ac67608857fd46c66e44f692e8b356

SHA256
9d4e02114531d4ef87ed163b999fae392b43e5ef95aa286257ea9c6823d869e7

SHA512
71ff967d380497a149c222fc2faef05319974cb486076ed6d65f3bbe8558b9fd5e9777ad78fed746bfd707a33c6f7f6d75d4419a51fa5a7871f31a63ff9a7035

Download Submit
C:\Windows\System32\RmClient\RuntimeBroker.exe

Filesize
1.1MB

MD5
1a6a898a0abfa818a97e0c741f62a651

SHA1
e64e7fa94a829b00de8d7a9442745f1fccfd4d26

SHA256
6465e923bf241700a250f531b63fc650c66e97c5affa1f70a0aa6a75bf63b561

SHA512
d659ce4b692548eb33283398b8065296a7fb251865734c0b6269b1618999c8da7cef528a0644e9ca83a89b5c194ca44de3b8ff34e77abc0c221756f0ce2ef9ca

Download Submit
memory/612-393-0x000000001BED0000-0x000000001BFD2000-memory.dmp

Filesize
1.0MB

Download
memory/1536-381-0x000000001B970000-0x000000001BA72000-memory.dmp

Filesize
1.0MB

Download
memory/1660-348-0x0000000002250000-0x0000000002262000-memory.dmp

Filesize
72KB

Download
memory/1872-442-0x0000000002230000-0x0000000002242000-memory.dmp

Filesize
72KB

Download
memory/2004-25-0x00007FF928E50000-0x00007FF929911000-memory.dmp

Filesize
10.8MB

Download
memory/2004-5-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/2004-13-0x000000001B3D0000-0x000000001B3DA000-memory.dmp

Filesize
40KB

Download
memory/2004-18-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/2004-20-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/2004-12-0x000000001B3C0000-0x000000001B3C8000-memory.dmp

Filesize
32KB

Download
memory/2004-11-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/2004-10-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2004-15-0x000000001B3F0000-0x000000001B3FA000-memory.dmp

Filesize
40KB

Download
memory/2004-129-0x00007FF928E50000-0x00007FF929911000-memory.dmp

Filesize
10.8MB

Download
memory/2004-21-0x000000001BB60000-0x000000001BB68000-memory.dmp

Filesize
32KB

Download
memory/2004-8-0x000000001B370000-0x000000001B378000-memory.dmp

Filesize
32KB

Download
memory/2004-7-0x000000001B360000-0x000000001B36C000-memory.dmp

Filesize
48KB

Download
memory/2004-6-0x0000000002A70000-0x0000000002A7A000-memory.dmp

Filesize
40KB

Download
memory/2004-14-0x000000001B3E0000-0x000000001B3EC000-memory.dmp

Filesize
48KB

Download
memory/2004-16-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/2004-9-0x000000001B380000-0x000000001B38C000-memory.dmp

Filesize
48KB

Download
memory/2004-0-0x00007FF928E53000-0x00007FF928E55000-memory.dmp

Filesize
8KB

Download
memory/2004-4-0x0000000002A60000-0x0000000002A72000-memory.dmp

Filesize
72KB

Download
memory/2004-3-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/2004-24-0x00007FF928E50000-0x00007FF929911000-memory.dmp

Filesize
10.8MB

Download
memory/2004-2-0x00007FF928E50000-0x00007FF929911000-memory.dmp

Filesize
10.8MB

Download
memory/2004-17-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/2004-1-0x0000000000620000-0x0000000000734000-memory.dmp

Filesize
1.1MB

Download
memory/2064-406-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/2064-417-0x000000001C310000-0x000000001C412000-memory.dmp

Filesize
1.0MB

Download
memory/2476-418-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/2476-426-0x000000001BC80000-0x000000001BD82000-memory.dmp

Filesize
1.0MB

Download
memory/2960-88-0x000002A85C050000-0x000002A85C072000-memory.dmp

Filesize
136KB

Download
memory/3112-457-0x00000000010D0000-0x00000000010E2000-memory.dmp

Filesize
72KB

Download
memory/3488-427-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/3836-404-0x000000001C010000-0x000000001C112000-memory.dmp

Filesize
1.0MB

Download