dcrat | 4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06abb382ad59957f5f38c5c099a3b51f.exe
Size

1.1MB
MD5

06abb382ad59957f5f38c5c099a3b51f
SHA1

28509e4bd32e4fd4bc4d64b8e41ee7bbae1c0087
SHA256

bd7c02ba50734e9ca3988a4f138e3cb72956fdb24583fd7281ecbe9974bf06fd
SHA512

4934fe7ddbb62d1c027fd5999c785733721287ea3d352b44d81386304e16a652086b7b7e30668d630796b2d0347c1276eb5d7a1694252e08b11299a95c8d5da2
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\", \"C:\\Windows\\System32\\eapphost\\SppExtComObj.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\", \"C:\\Windows\\System32\\eapphost\\SppExtComObj.exe\", \"C:\\Windows\\System32\\elslad\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\", \"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\", \"C:\\Windows\\System32\\eapphost\\SppExtComObj.exe\", \"C:\\Windows\\System32\\elslad\\dllhost.exe\", \"C:\\ProgramData\\Templates\\SearchApp.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3004	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3004	schtasks.exe	87

UAC bypass 3 TTPs 54 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
4548	powershell.exe
2572	powershell.exe
968	powershell.exe
624	powershell.exe
5516	powershell.exe
1440	powershell.exe
4708	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	06abb382ad59957f5f38c5c099a3b51f.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	06abb382ad59957f5f38c5c099a3b51f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 17 IoCs

pid	Process
5876	dllhost.exe
4144	dllhost.exe
5136	dllhost.exe
3896	dllhost.exe
5656	dllhost.exe
2384	dllhost.exe
5984	dllhost.exe
3808	dllhost.exe
5036	dllhost.exe
2192	dllhost.exe
1616	dllhost.exe
5080	dllhost.exe
4168	dllhost.exe
5720	dllhost.exe
3184	dllhost.exe
1624	dllhost.exe
728	dllhost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06abb382ad59957f5f38c5c099a3b51f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\eapphost\\SppExtComObj.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\elslad\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\ProgramData\\Templates\\SearchApp.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06abb382ad59957f5f38c5c099a3b51f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\07a133336a6976c0bc2763dff9b03368\\06abb382ad59957f5f38c5c099a3b51f.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\ErrorDetails\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\upfc.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\eapphost\\SppExtComObj.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\elslad\\dllhost.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\ProgramData\\Templates\\SearchApp.exe\""	06abb382ad59957f5f38c5c099a3b51f.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\eapphost\SppExtComObj.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\elslad\5940a34987c991	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\ErrorDetails\RCX6469.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\ErrorDetails\dllhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\eapphost\RCX6A86.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\eapphost\SppExtComObj.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\eapphost\e1ef82546f0b02	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\elslad\dllhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\elslad\RCX6C8B.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\System32\elslad\dllhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\ErrorDetails\dllhost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\System32\ErrorDetails\5940a34987c991	06abb382ad59957f5f38c5c099a3b51f.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX6882.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\upfc.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\upfc.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\ea1d8f6d871115	06abb382ad59957f5f38c5c099a3b51f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	06abb382ad59957f5f38c5c099a3b51f.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\RCX667D.tmp	06abb382ad59957f5f38c5c099a3b51f.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	06abb382ad59957f5f38c5c099a3b51f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	06abb382ad59957f5f38c5c099a3b51f.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4872	schtasks.exe
1944	schtasks.exe
4880	schtasks.exe
1352	schtasks.exe
4568	schtasks.exe
4532	schtasks.exe
4652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
5800	06abb382ad59957f5f38c5c099a3b51f.exe
4716	powershell.exe
4716	powershell.exe
2572	powershell.exe
2572	powershell.exe
4548	powershell.exe
4548	powershell.exe
1440	powershell.exe
1440	powershell.exe
968	powershell.exe
968	powershell.exe
5516	powershell.exe
5516	powershell.exe
4708	powershell.exe
4708	powershell.exe
624	powershell.exe
624	powershell.exe
4708	powershell.exe
4716	powershell.exe
2572	powershell.exe
1440	powershell.exe
4548	powershell.exe
5516	powershell.exe
624	powershell.exe
968	powershell.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe
5876	dllhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5800	06abb382ad59957f5f38c5c099a3b51f.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	5876	dllhost.exe
Token: SeDebugPrivilege	4144	dllhost.exe
Token: SeDebugPrivilege	5136	dllhost.exe
Token: SeDebugPrivilege	3896	dllhost.exe
Token: SeDebugPrivilege	5656	dllhost.exe
Token: SeDebugPrivilege	2384	dllhost.exe
Token: SeDebugPrivilege	5984	dllhost.exe
Token: SeDebugPrivilege	3808	dllhost.exe
Token: SeDebugPrivilege	5036	dllhost.exe
Token: SeDebugPrivilege	2192	dllhost.exe
Token: SeDebugPrivilege	1616	dllhost.exe
Token: SeDebugPrivilege	5080	dllhost.exe
Token: SeDebugPrivilege	4168	dllhost.exe
Token: SeDebugPrivilege	5720	dllhost.exe
Token: SeDebugPrivilege	3184	dllhost.exe
Token: SeDebugPrivilege	1624	dllhost.exe
Token: SeDebugPrivilege	728	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5800 wrote to memory of 968	5800	06abb382ad59957f5f38c5c099a3b51f.exe	98
PID 5800 wrote to memory of 968	5800	06abb382ad59957f5f38c5c099a3b51f.exe	98
PID 5800 wrote to memory of 2572	5800	06abb382ad59957f5f38c5c099a3b51f.exe	99
PID 5800 wrote to memory of 2572	5800	06abb382ad59957f5f38c5c099a3b51f.exe	99
PID 5800 wrote to memory of 4548	5800	06abb382ad59957f5f38c5c099a3b51f.exe	100
PID 5800 wrote to memory of 4548	5800	06abb382ad59957f5f38c5c099a3b51f.exe	100
PID 5800 wrote to memory of 4716	5800	06abb382ad59957f5f38c5c099a3b51f.exe	101
PID 5800 wrote to memory of 4716	5800	06abb382ad59957f5f38c5c099a3b51f.exe	101
PID 5800 wrote to memory of 4708	5800	06abb382ad59957f5f38c5c099a3b51f.exe	102
PID 5800 wrote to memory of 4708	5800	06abb382ad59957f5f38c5c099a3b51f.exe	102
PID 5800 wrote to memory of 1440	5800	06abb382ad59957f5f38c5c099a3b51f.exe	103
PID 5800 wrote to memory of 1440	5800	06abb382ad59957f5f38c5c099a3b51f.exe	103
PID 5800 wrote to memory of 5516	5800	06abb382ad59957f5f38c5c099a3b51f.exe	104
PID 5800 wrote to memory of 5516	5800	06abb382ad59957f5f38c5c099a3b51f.exe	104
PID 5800 wrote to memory of 624	5800	06abb382ad59957f5f38c5c099a3b51f.exe	105
PID 5800 wrote to memory of 624	5800	06abb382ad59957f5f38c5c099a3b51f.exe	105
PID 5800 wrote to memory of 3632	5800	06abb382ad59957f5f38c5c099a3b51f.exe	114
PID 5800 wrote to memory of 3632	5800	06abb382ad59957f5f38c5c099a3b51f.exe	114
PID 3632 wrote to memory of 2160	3632	cmd.exe	116
PID 3632 wrote to memory of 2160	3632	cmd.exe	116
PID 3632 wrote to memory of 5876	3632	cmd.exe	119
PID 3632 wrote to memory of 5876	3632	cmd.exe	119
PID 5876 wrote to memory of 4436	5876	dllhost.exe	120
PID 5876 wrote to memory of 4436	5876	dllhost.exe	120
PID 5876 wrote to memory of 2104	5876	dllhost.exe	121
PID 5876 wrote to memory of 2104	5876	dllhost.exe	121
PID 4436 wrote to memory of 4144	4436	WScript.exe	123
PID 4436 wrote to memory of 4144	4436	WScript.exe	123
PID 4144 wrote to memory of 1528	4144	dllhost.exe	124
PID 4144 wrote to memory of 1528	4144	dllhost.exe	124
PID 4144 wrote to memory of 5416	4144	dllhost.exe	125
PID 4144 wrote to memory of 5416	4144	dllhost.exe	125
PID 1528 wrote to memory of 5136	1528	WScript.exe	126
PID 1528 wrote to memory of 5136	1528	WScript.exe	126
PID 5136 wrote to memory of 3616	5136	dllhost.exe	127
PID 5136 wrote to memory of 3616	5136	dllhost.exe	127
PID 5136 wrote to memory of 4460	5136	dllhost.exe	128
PID 5136 wrote to memory of 4460	5136	dllhost.exe	128
PID 3616 wrote to memory of 3896	3616	WScript.exe	130
PID 3616 wrote to memory of 3896	3616	WScript.exe	130
PID 3896 wrote to memory of 2784	3896	dllhost.exe	131
PID 3896 wrote to memory of 2784	3896	dllhost.exe	131
PID 3896 wrote to memory of 3244	3896	dllhost.exe	132
PID 3896 wrote to memory of 3244	3896	dllhost.exe	132
PID 2784 wrote to memory of 5656	2784	WScript.exe	135
PID 2784 wrote to memory of 5656	2784	WScript.exe	135
PID 5656 wrote to memory of 3388	5656	dllhost.exe	136
PID 5656 wrote to memory of 3388	5656	dllhost.exe	136
PID 5656 wrote to memory of 3648	5656	dllhost.exe	137
PID 5656 wrote to memory of 3648	5656	dllhost.exe	137
PID 3388 wrote to memory of 2384	3388	WScript.exe	144
PID 3388 wrote to memory of 2384	3388	WScript.exe	144
PID 2384 wrote to memory of 4672	2384	dllhost.exe	145
PID 2384 wrote to memory of 4672	2384	dllhost.exe	145
PID 2384 wrote to memory of 2540	2384	dllhost.exe	146
PID 2384 wrote to memory of 2540	2384	dllhost.exe	146
PID 4672 wrote to memory of 5984	4672	WScript.exe	147
PID 4672 wrote to memory of 5984	4672	WScript.exe	147
PID 5984 wrote to memory of 4668	5984	dllhost.exe	148
PID 5984 wrote to memory of 4668	5984	dllhost.exe	148
PID 5984 wrote to memory of 3396	5984	dllhost.exe	149
PID 5984 wrote to memory of 3396	5984	dllhost.exe	149
PID 4668 wrote to memory of 3808	4668	WScript.exe	150
PID 4668 wrote to memory of 3808	4668	WScript.exe	150

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06abb382ad59957f5f38c5c099a3b51f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe
"C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\06abb382ad59957f5f38c5c099a3b51f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\07a133336a6976c0bc2763dff9b03368\06abb382ad59957f5f38c5c099a3b51f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ErrorDetails\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\eapphost\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\elslad\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6GkoWAZTdh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2160
- - C:\Windows\System32\elslad\dllhost.exe
    "C:\Windows\System32\elslad\dllhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08bb5c0-bddc-480a-824c-49f61c47deda.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4144
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8faf2dd8-f4e4-485b-80f3-b8111a8197ce.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc9ccb1b-ecb0-4fae-8431-acdcfd6b3870.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8fa530-300a-4d84-99bb-8df429586e3d.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c460a9b8-beb8-4997-b576-da096acbf5f7.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5f6bca-fbb0-4edb-9e67-cb2499a00d25.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f21a3cf7-66a3-4abb-9522-7d3970eca60f.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93fd6302-2440-42f5-aef3-521f4f74ac97.vbs"
        18⤵
        
        PID:5884
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b414e8a1-f0b6-4cbc-967a-102573271a9c.vbs"
        20⤵
        
        PID:5784
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81bcf870-d2bd-4a3b-afc0-f18072a08275.vbs"
        22⤵
        
        PID:4724
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f802104a-edd0-4991-beaa-e5e30e96a09a.vbs"
        24⤵
        
        PID:3496
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e123f018-bad4-4c69-a4f3-c11c26d2c64e.vbs"
        26⤵
        
        PID:3772
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34a2e163-899b-407a-86e3-7693c2906d55.vbs"
        28⤵
        
        PID:4676
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9547acf7-bea2-47cf-bdd4-72894b7b319e.vbs"
        30⤵
        
        PID:1620
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb42a4c9-7bcf-4c9c-b95c-8680bdc120b3.vbs"
        32⤵
        
        PID:3668
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7644dda4-0e53-49d4-aee7-6f70b1a75e8b.vbs"
        34⤵
        
        PID:1060
        
        C:\Windows\System32\elslad\dllhost.exe
        
        C:\Windows\System32\elslad\dllhost.exe
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\244ee1c7-0892-4a6c-bcb6-19fc89621306.vbs"
        36⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a1c4f0-b70e-403e-b185-b0efa4dec21f.vbs"
        36⤵
        
        PID:3172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c48fdffd-7789-43e7-bc33-1e5aa7766629.vbs"
        34⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76f81ed-bfec-485e-9c0f-dd62f911edec.vbs"
        32⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba1afb45-c5af-4024-8cfb-12d5c5bd1f0e.vbs"
        30⤵
        
        PID:5304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3400783-9766-4530-8315-3a8b93ca7e44.vbs"
        28⤵
        
        PID:5464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d59f1adf-31a2-4e7e-a3c6-30e12cd54646.vbs"
        26⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed6e556-9340-4d35-a11d-c97502481cf5.vbs"
        24⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4fcbaf-3a82-476e-859b-394d355fa9f3.vbs"
        22⤵
        
        PID:5852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abc2d7ac-3f96-41e0-955c-bc8a0ee02f33.vbs"
        20⤵
        
        PID:5584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\188e9163-c17d-4a0d-a7d1-efcad9285549.vbs"
        18⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4add8fcb-ffe3-46d7-be85-fc810e43572d.vbs"
        16⤵
        
        PID:3396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72d12088-1a66-48c9-a9a5-2d059e9cb2fc.vbs"
        14⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e26452a-da9a-4be2-baab-492ef415bac6.vbs"
        12⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\310d3aed-e2d5-4661-8bae-19e6bfd279e8.vbs"
        10⤵
        
        PID:3244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64ce203f-6df3-4550-847a-a523906d6146.vbs"
        8⤵
        
        PID:4460
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4695cd6-3e99-48e6-8a28-156956c29f2d.vbs"
        6⤵
        
        PID:5416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d59d5d-adb7-4267-844c-2ef1392fd4ca.vbs"
      4⤵
      PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "06abb382ad59957f5f38c5c099a3b51f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\07a133336a6976c0bc2763dff9b03368\06abb382ad59957f5f38c5c099a3b51f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ErrorDetails\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\eapphost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\elslad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\ProgramData\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2b757fcfd80533e2e11dca5713b74b37

SHA1
3158d75c2ca5ed926e41ca7572624a14c87dbd63

SHA256
0ee20fb0a646520cbbea2c048126f7628085bf8a3f149dd453b8852844d9c650

SHA512
b45a93eff264fb0732daeec91ebe53c0256770129818e370d30f248e0e238fb48c73f9926eaa8d2f6669c96b118d0b23233a45be231f6b7c29955475ffcc28f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44ae12563d9f97ac1136baee629673df

SHA1
38790549497302c43bd3ff6c5225e8c7054829e2

SHA256
b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

SHA512
07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35899eb6a9554561b7c476f3a99ab4b1

SHA1
fbc0f2bbb04b2ec275ec0fbbfdfe6757eba95109

SHA256
9640532e222df3765bc718964d1262b65fd4fd03e318515f3a342f65b2d28391

SHA512
cbd48768d100da871023f4a8cfb0e19a584c560770a61089118191f9867f11e5833c7accd904118e4dd237343dc1f8a46f14a45b76be042d04f26c2c26dc4626

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d59d5d-adb7-4267-844c-2ef1392fd4ca.vbs

Filesize
490B

MD5
70abb2478be56dd8c64dabfe145d436e

SHA1
4b259477276ca55b2a9bd9527c4789443f40cc20

SHA256
f287743d41da6195a281651bd3b0e9543cd451f5dc068b1de8cf4673daeb1fa7

SHA512
ea62c87bbf753caecb5f9c97955fa80bda63b2eebd861d109a5dc3fa86b07b73c1adcb0c702d28968e261058a99301b2c3ce847a09de59a62311f11e92670ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\34a2e163-899b-407a-86e3-7693c2906d55.vbs

Filesize
714B

MD5
94febedf38266c31b388e249ed0cc111

SHA1
602ae48fa2a0c97d4344e46020328117f1980d64

SHA256
0e26661023362d04dd4bb7c68012d735127928e92dd8452aaeeef89f63cb89fb

SHA512
432bac3eaa0c9c81d178d4da909489c454179ba62f6a91eab06bb60d0a47cbfee0f8384632fc349b20942ad4ecf11c439c4312b36858153a75d78b6f277ec8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\6GkoWAZTdh.bat

Filesize
202B

MD5
50ad0171bf47f415d21add50f1e52620

SHA1
52805861a515ce18f0e2745105b4e04911b4de96

SHA256
4800255c88bec614c5337037a0bb46aa4a0c29175032bffa196e15a08796c876

SHA512
b7f01b9da325f7aaad9b485797bbacb353ba38dd3e99014257fd5dfa050c86cf50bb41e240a3ad931721463162b5caa0f498516f1f27869ff91f5dddc1f67f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\81bcf870-d2bd-4a3b-afc0-f18072a08275.vbs

Filesize
714B

MD5
60e7b64065273e3a7e1f4d2f72b6ef43

SHA1
0939551a1d187e62c3c5b5594ece62840e3ea314

SHA256
1a9d75ccdfad9074805892e77a1341282ba6b1971fa2ddeabdbedd49765f8d8a

SHA512
da9cd29e3270b1bdce735155d0fca95ec28fa33d1f1b778cafb7db76a38b2d7936becab1a713a0b651331c69214e43a47a834d6178fade4558c105413a303b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8faf2dd8-f4e4-485b-80f3-b8111a8197ce.vbs

Filesize
714B

MD5
108c6732d07d938520e38e00e916f9f8

SHA1
80f2ea2957f9ac0d86b78b44d369238251632026

SHA256
bc53ea2c8340b420718d99a2429534e6c05f86bf058a96bbb4289ba279576926

SHA512
d6dc4b773970d6f4a089343ef1b8fad68005726f33a1da155d63b78b08a34597ead06d127d4795fafb57bc7d48184b0875e0850c062db8ceb3e222be1d07d9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\93fd6302-2440-42f5-aef3-521f4f74ac97.vbs

Filesize
714B

MD5
17858acccb2b471b94af98b9f324faae

SHA1
7bbb8746a3f707e493c38428a58f945fbd5335a4

SHA256
a3cc5936b7581b487d55a6100686cf39aefcf426086abd8425dd3d30b9e33c45

SHA512
c7dae9e688193080a2a79a9383cc79f4fa0afa86ad2e6a0c1250b8a3c48a63243b68f7f70d8657d304a8b2c6b6c402935caf178ab7bb3d17e34027613497a14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c5f6bca-fbb0-4edb-9e67-cb2499a00d25.vbs

Filesize
714B

MD5
f43c632d0b982c413a2a2d121707517a

SHA1
c67c524251bea51daea235768dbec8246db722b3

SHA256
5fa42a3e6134b16c0857c0a84e175b14e8432fa594de00b43ba7002d5d8cdfcd

SHA512
2464360d7e64b8c19cda88510e58cb4399caaa3830bd645b4f8c81cfd2ec849cea0611756d4a0aa045c44f6048ef57f94097fb8fc7adb1fe94222fbba885dc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uyyoqrco.2xl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b414e8a1-f0b6-4cbc-967a-102573271a9c.vbs

Filesize
714B

MD5
8d287149a7ba719b2597d5ae3477054f

SHA1
2eae8c56378b4e4cdc53604e136353a99d2cad1e

SHA256
7502d2f259b8f2317cf5788ebb29793e5503648aab7d0f67960543fe87d771e2

SHA512
ed41f0603f3f919a273b54c8f296e0016f4b14f057778888932aac4bfce9dbe415752e6aeaf7fd5d57a5c2e9bed5199b4123ec06ea688f22590fa2244ba2a3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c460a9b8-beb8-4997-b576-da096acbf5f7.vbs

Filesize
714B

MD5
4313078475f8fbf70dab75f86b9ab4ab

SHA1
ecc83264b07d6d5b1ecf61376be3b73c250f0006

SHA256
d9044dac16658cd8103262e0e26eed2a56ea9031f6d5dccb0617b70ce778a84d

SHA512
6e1b154782c430a63afe2fc00925d2c1a15c0d67f5e39af14c97df86eae8a1a044256dfe3fd4bd9fc158901bfff934cdc3af2e055e2e710ed5f8904c27b419b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc9ccb1b-ecb0-4fae-8431-acdcfd6b3870.vbs

Filesize
714B

MD5
2c1a2f0a9b179d35b144cf8ba1270107

SHA1
68a65a97a642502654214d4812beb3660c22b325

SHA256
fec7d1d465ff6621ac80b994b54935f8aa1ad6ed5b8cda1976a76db3dab3d871

SHA512
0659388b91f64aa4de18c3c008691d3b8743c0580b14f8a7e198293f4395f03028cfb4983cd6776750a2f5f5de5386f13cfb129687fec55682f76b7d8555758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e123f018-bad4-4c69-a4f3-c11c26d2c64e.vbs

Filesize
714B

MD5
1ea090afafba3ac8bf27aeb165303ee0

SHA1
3ce27986825c54b9709d60f6c5e4687bca40a80c

SHA256
f66da233774f9b755d2a2fd9fd46daecfe49d0a47162d405deba9b39c45657c5

SHA512
baabf679de53ec25dcae26cf097f58b48671cea24ee3a8ffa2249770e31e636d8e4729419b73386011e35991114ecaafc5647ba1282342589595f133d302a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed8fa530-300a-4d84-99bb-8df429586e3d.vbs

Filesize
714B

MD5
69c9d6cb1b74614a84890efd25b50c90

SHA1
eda8c3fce00b27bf43f53354e53b9ea4ed5e9eb5

SHA256
5bf3b99429cb9c783e3f690399c2451d78ca038c09b6dc3e2cfcd6790f41f7a3

SHA512
d12ec126c0cc76d918ef0a381c03e26c8c8ef397d009a6e3592df86ec3d69c76f409a130b1eea0ec9f08c08ae05047663d70c1975fb5533d70dc04317434fc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\f08bb5c0-bddc-480a-824c-49f61c47deda.vbs

Filesize
714B

MD5
5ef9f1384a1e3e25fc970da4041cb386

SHA1
c51176983c4dcbe0a43309d46d7b5aca9dcb0bba

SHA256
c49f01731efeb13ea603d4ef4d2990e9947c57916db73368c6c4df7bea1613cf

SHA512
65d4d41887cf0098621ff0e7ff36a7c2ab4ad7340509454ae72d696aded5395f88ea7c322a946f6c82f2b11cd8cc08a49b67eb17c02f1fcca51c21684f925d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\f21a3cf7-66a3-4abb-9522-7d3970eca60f.vbs

Filesize
714B

MD5
ead227187ffb3223c237ce70ff86feda

SHA1
8677122c30152faf93db8a6231dc117cd6dd5fd3

SHA256
0b67528487d97ac6b78d3faaa547526668b848208fecd9cf1b7dd4bcb5e8ffd9

SHA512
5e8a5e26c6734f8cdc5354c7f93ffdce60bd329cdbf796f53e517c6c230692e61f2ccf3a389dfdc0fe49bc14151de11b2f5edc0bc1f89c7b2ae6b3322a3e5f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f802104a-edd0-4991-beaa-e5e30e96a09a.vbs

Filesize
714B

MD5
488c23af7865fd1fe1846546da062c5c

SHA1
0666874354abc7e1737b15df67c166b60e0fb4e0

SHA256
1353d97b02bab5e80ff8669409a5f19cdc4b7b282ac8f6da82f7835c1c653a86

SHA512
dea84bc09af27a8caa2b9f4668c09944ce6cd4f59b6bf7aeff7f28f8823bfeb8aceec9af093ec753f35c77ce2a6c57654b777e7797b9069bacdbf042e14736f4

Download Submit
C:\Windows\System32\eapphost\SppExtComObj.exe

Filesize
1.1MB

MD5
06abb382ad59957f5f38c5c099a3b51f

SHA1
28509e4bd32e4fd4bc4d64b8e41ee7bbae1c0087

SHA256
bd7c02ba50734e9ca3988a4f138e3cb72956fdb24583fd7281ecbe9974bf06fd

SHA512
4934fe7ddbb62d1c027fd5999c785733721287ea3d352b44d81386304e16a652086b7b7e30668d630796b2d0347c1276eb5d7a1694252e08b11299a95c8d5da2

Download Submit
C:\Windows\System32\elslad\dllhost.exe

Filesize
1.1MB

MD5
3919ea5822e5e1fcbf72a51d6b22d15d

SHA1
d69c42d29063d0a8e45f53c2c21599f421f5914c

SHA256
f0cd789683c8dac6b97832d9a918074f53b6ea98bc2add9cbf8af73a549b4c8a

SHA512
92d07405dd140e37bc0568be2f9ab1278bb072b1e81a84d98b41c90aea81e28198356832f153e1da6b9e0d0149a041aaac585e8ff5ac662997a81953ba8237ba

Download Submit
memory/728-363-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/1616-306-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/2192-294-0x0000000001030000-0x0000000001042000-memory.dmp

Filesize
72KB

Download
memory/2572-105-0x000001E26A240000-0x000001E26A262000-memory.dmp

Filesize
136KB

Download
memory/5136-214-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/5656-237-0x0000000001810000-0x0000000001822000-memory.dmp

Filesize
72KB

Download
memory/5720-340-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/5800-16-0x0000000002A30000-0x0000000002A38000-memory.dmp

Filesize
32KB

Download
memory/5800-7-0x00000000011F0000-0x00000000011FC000-memory.dmp

Filesize
48KB

Download
memory/5800-14-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/5800-25-0x00007FFD4A610000-0x00007FFD4B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5800-12-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/5800-11-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/5800-10-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/5800-8-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/5800-15-0x0000000002A20000-0x0000000002A2A000-memory.dmp

Filesize
40KB

Download
memory/5800-9-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/5800-0-0x00007FFD4A613000-0x00007FFD4A615000-memory.dmp

Filesize
8KB

Download
memory/5800-17-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/5800-6-0x00000000011D0000-0x00000000011DA000-memory.dmp

Filesize
40KB

Download
memory/5800-13-0x0000000002A00000-0x0000000002A0A000-memory.dmp

Filesize
40KB

Download
memory/5800-95-0x00007FFD4A610000-0x00007FFD4B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5800-24-0x00007FFD4A610000-0x00007FFD4B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5800-5-0x00000000011E0000-0x00000000011EC000-memory.dmp

Filesize
48KB

Download
memory/5800-4-0x00000000011C0000-0x00000000011D2000-memory.dmp

Filesize
72KB

Download
memory/5800-20-0x0000000002A60000-0x0000000002A6C000-memory.dmp

Filesize
48KB

Download
memory/5800-3-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/5800-18-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/5800-21-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/5800-2-0x00007FFD4A610000-0x00007FFD4B0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5800-1-0x0000000000740000-0x0000000000854000-memory.dmp

Filesize
1.1MB

Download
memory/5876-190-0x0000000000870000-0x0000000000984000-memory.dmp

Filesize
1.1MB

Download
memory/5984-260-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download