dcrat | f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f723cd9002531ad31487e588d1132bc.exe
Size

1.1MB
MD5

6f723cd9002531ad31487e588d1132bc
SHA1

c794aab74ea0c76d1c077ca87d175014bc76f0f5
SHA256

c9206100b2d07324c79a83cb515893a79d39a1de3a6dac7a72a7b167c41b6910
SHA512

198154faa272369a965747852699d562c43622f9fbe94daf2cd4d62c63e64f7c542904e582f074f57843fb35e5db500149ee58c1826d733688e54eb6da6ad5a2
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 22 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 22 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2816	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2816	schtasks.exe	30

UAC bypass 3 TTPs 48 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2744	powershell.exe
2992	powershell.exe
2864	powershell.exe
2296	powershell.exe
1588	powershell.exe
2428	powershell.exe
3036	powershell.exe
1936	powershell.exe
668	powershell.exe
2176	powershell.exe
2008	powershell.exe
1556	powershell.exe
2704	powershell.exe
2836	powershell.exe
1440	powershell.exe
2776	powershell.exe
1720	powershell.exe
280	powershell.exe
1588	powershell.exe
2104	powershell.exe
2324	powershell.exe
1508	powershell.exe
2744	powershell.exe
1252	powershell.exe
852	powershell.exe
1508	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6f723cd9002531ad31487e588d1132bc.exe

Executes dropped EXE 15 IoCs

pid	Process
1764	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
1940	6f723cd9002531ad31487e588d1132bc.exe
2556	explorer.exe
2644	explorer.exe
1632	explorer.exe
836	explorer.exe
2392	explorer.exe
2888	explorer.exe
2184	explorer.exe
1920	explorer.exe
2456	explorer.exe
2100	explorer.exe
2388	explorer.exe
2220	explorer.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\bdaplgin\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Tasks\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\TAPI\\OSPPSVC.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\alg\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Music\\Idle.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\RpcPing\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Application Data\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\RpcPing\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\PerfLogs\\Admin\\System.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Tasks\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\TAPI\\OSPPSVC.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\alg\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_32\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Music\\Idle.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\twext\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\networkmap\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_32\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Application Data\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\rgb9rast\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\rgb9rast\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6f723cd9002531ad31487e588d1132bc = "\"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\twext\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\it-IT\\WmiPrvSE.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\it-IT\\WmiPrvSE.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\networkmap\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\bdaplgin\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\ntshrui\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\ntshrui\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\System32\rgb9rast\smss.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\networkmap\RCX89BC.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\RpcPing\lsass.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\alg\smss.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\rgb9rast\RCX8BC0.tmp	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\bdaplgin\lsass.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-delayload-l1-1-0\taskhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\IcCoinstall\wininit.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\twext\f3b6ecef712a24	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\networkmap\b75386f1303e64	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\networkmap\taskhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\bdaplgin\6203df4a6bafc7	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\RpcPing\6203df4a6bafc7	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\IcCoinstall\56085415360792	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\JavaScriptCollectionAgent\sppsvc.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\twext\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\networkmap\taskhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\rgb9rast\smss.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\ntshrui\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\IcCoinstall\wininit.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\alg\smss.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\RpcPing\lsass.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\JavaScriptCollectionAgent\sppsvc.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\JavaScriptCollectionAgent\0a1fd5f707cd16	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\twext\spoolsv.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\alg\69ddcba757bf72	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\rgb9rast\69ddcba757bf72	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\api-ms-win-core-delayload-l1-1-0\b75386f1303e64	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\alg\RCX87B8.tmp	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\bdaplgin\lsass.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\ntshrui\886983d96e3d3e	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\System32\api-ms-win-core-delayload-l1-1-0\taskhost.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\System32\ntshrui\csrss.exe	6f723cd9002531ad31487e588d1132bc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\it-IT\WmiPrvSE.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\24dbde2999530e	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\WmiPrvSE.exe	6f723cd9002531ad31487e588d1132bc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twunk_32\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\twunk_32\7a0fd90576e088	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Registration\CRMLog\0331d53bc93ee1	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Tasks\wininit.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\TAPI\OSPPSVC.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\TAPI\1610b97d3ab4a7	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\Tasks\wininit.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\twunk_32\explorer.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Registration\CRMLog\6f723cd9002531ad31487e588d1132bc.exe	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\Registration\CRMLog\6f723cd9002531ad31487e588d1132bc.exe	6f723cd9002531ad31487e588d1132bc.exe
File created	C:\Windows\Tasks\56085415360792	6f723cd9002531ad31487e588d1132bc.exe
File opened for modification	C:\Windows\TAPI\OSPPSVC.exe	6f723cd9002531ad31487e588d1132bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
1492	schtasks.exe
2240	schtasks.exe
2192	schtasks.exe
2356	schtasks.exe
2916	schtasks.exe
1520	schtasks.exe
1148	schtasks.exe
1496	schtasks.exe
804	schtasks.exe
996	schtasks.exe
1996	schtasks.exe
2972	schtasks.exe
2780	schtasks.exe
2664	schtasks.exe
2144	schtasks.exe
2840	schtasks.exe
2628	schtasks.exe
2684	schtasks.exe
2808	schtasks.exe
2448	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2472	6f723cd9002531ad31487e588d1132bc.exe
2324	powershell.exe
2296	powershell.exe
2864	powershell.exe
1440	powershell.exe
2836	powershell.exe
1508	powershell.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
1764	6f723cd9002531ad31487e588d1132bc.exe
2428	powershell.exe
1720	powershell.exe
2776	powershell.exe
1556	powershell.exe
2008	powershell.exe
1588	powershell.exe
2744	powershell.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe
2564	6f723cd9002531ad31487e588d1132bc.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1764	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2564	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1940	6f723cd9002531ad31487e588d1132bc.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2556	explorer.exe
Token: SeDebugPrivilege	2644	explorer.exe
Token: SeDebugPrivilege	1632	explorer.exe
Token: SeDebugPrivilege	836	explorer.exe
Token: SeDebugPrivilege	2392	explorer.exe
Token: SeDebugPrivilege	2888	explorer.exe
Token: SeDebugPrivilege	2184	explorer.exe
Token: SeDebugPrivilege	1920	explorer.exe
Token: SeDebugPrivilege	2456	explorer.exe
Token: SeDebugPrivilege	2100	explorer.exe
Token: SeDebugPrivilege	2388	explorer.exe
Token: SeDebugPrivilege	2220	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2296	2472	6f723cd9002531ad31487e588d1132bc.exe	86
PID 2472 wrote to memory of 2296	2472	6f723cd9002531ad31487e588d1132bc.exe	86
PID 2472 wrote to memory of 2296	2472	6f723cd9002531ad31487e588d1132bc.exe	86
PID 2472 wrote to memory of 1440	2472	6f723cd9002531ad31487e588d1132bc.exe	37
PID 2472 wrote to memory of 1440	2472	6f723cd9002531ad31487e588d1132bc.exe	37
PID 2472 wrote to memory of 1440	2472	6f723cd9002531ad31487e588d1132bc.exe	37
PID 2472 wrote to memory of 1508	2472	6f723cd9002531ad31487e588d1132bc.exe	87
PID 2472 wrote to memory of 1508	2472	6f723cd9002531ad31487e588d1132bc.exe	87
PID 2472 wrote to memory of 1508	2472	6f723cd9002531ad31487e588d1132bc.exe	87
PID 2472 wrote to memory of 2864	2472	6f723cd9002531ad31487e588d1132bc.exe	39
PID 2472 wrote to memory of 2864	2472	6f723cd9002531ad31487e588d1132bc.exe	39
PID 2472 wrote to memory of 2864	2472	6f723cd9002531ad31487e588d1132bc.exe	39
PID 2472 wrote to memory of 2324	2472	6f723cd9002531ad31487e588d1132bc.exe	42
PID 2472 wrote to memory of 2324	2472	6f723cd9002531ad31487e588d1132bc.exe	42
PID 2472 wrote to memory of 2324	2472	6f723cd9002531ad31487e588d1132bc.exe	42
PID 2472 wrote to memory of 2836	2472	6f723cd9002531ad31487e588d1132bc.exe	43
PID 2472 wrote to memory of 2836	2472	6f723cd9002531ad31487e588d1132bc.exe	43
PID 2472 wrote to memory of 2836	2472	6f723cd9002531ad31487e588d1132bc.exe	43
PID 2472 wrote to memory of 780	2472	6f723cd9002531ad31487e588d1132bc.exe	48
PID 2472 wrote to memory of 780	2472	6f723cd9002531ad31487e588d1132bc.exe	48
PID 2472 wrote to memory of 780	2472	6f723cd9002531ad31487e588d1132bc.exe	48
PID 780 wrote to memory of 1956	780	cmd.exe	50
PID 780 wrote to memory of 1956	780	cmd.exe	50
PID 780 wrote to memory of 1956	780	cmd.exe	50
PID 780 wrote to memory of 1764	780	cmd.exe	51
PID 780 wrote to memory of 1764	780	cmd.exe	51
PID 780 wrote to memory of 1764	780	cmd.exe	51
PID 1764 wrote to memory of 2428	1764	6f723cd9002531ad31487e588d1132bc.exe	58
PID 1764 wrote to memory of 2428	1764	6f723cd9002531ad31487e588d1132bc.exe	58
PID 1764 wrote to memory of 2428	1764	6f723cd9002531ad31487e588d1132bc.exe	58
PID 1764 wrote to memory of 1556	1764	6f723cd9002531ad31487e588d1132bc.exe	59
PID 1764 wrote to memory of 1556	1764	6f723cd9002531ad31487e588d1132bc.exe	59
PID 1764 wrote to memory of 1556	1764	6f723cd9002531ad31487e588d1132bc.exe	59
PID 1764 wrote to memory of 1588	1764	6f723cd9002531ad31487e588d1132bc.exe	107
PID 1764 wrote to memory of 1588	1764	6f723cd9002531ad31487e588d1132bc.exe	107
PID 1764 wrote to memory of 1588	1764	6f723cd9002531ad31487e588d1132bc.exe	107
PID 1764 wrote to memory of 2008	1764	6f723cd9002531ad31487e588d1132bc.exe	62
PID 1764 wrote to memory of 2008	1764	6f723cd9002531ad31487e588d1132bc.exe	62
PID 1764 wrote to memory of 2008	1764	6f723cd9002531ad31487e588d1132bc.exe	62
PID 1764 wrote to memory of 2744	1764	6f723cd9002531ad31487e588d1132bc.exe	108
PID 1764 wrote to memory of 2744	1764	6f723cd9002531ad31487e588d1132bc.exe	108
PID 1764 wrote to memory of 2744	1764	6f723cd9002531ad31487e588d1132bc.exe	108
PID 1764 wrote to memory of 1720	1764	6f723cd9002531ad31487e588d1132bc.exe	67
PID 1764 wrote to memory of 1720	1764	6f723cd9002531ad31487e588d1132bc.exe	67
PID 1764 wrote to memory of 1720	1764	6f723cd9002531ad31487e588d1132bc.exe	67
PID 1764 wrote to memory of 2776	1764	6f723cd9002531ad31487e588d1132bc.exe	68
PID 1764 wrote to memory of 2776	1764	6f723cd9002531ad31487e588d1132bc.exe	68
PID 1764 wrote to memory of 2776	1764	6f723cd9002531ad31487e588d1132bc.exe	68
PID 1764 wrote to memory of 2564	1764	6f723cd9002531ad31487e588d1132bc.exe	72
PID 1764 wrote to memory of 2564	1764	6f723cd9002531ad31487e588d1132bc.exe	72
PID 1764 wrote to memory of 2564	1764	6f723cd9002531ad31487e588d1132bc.exe	72
PID 2564 wrote to memory of 3036	2564	6f723cd9002531ad31487e588d1132bc.exe	79
PID 2564 wrote to memory of 3036	2564	6f723cd9002531ad31487e588d1132bc.exe	79
PID 2564 wrote to memory of 3036	2564	6f723cd9002531ad31487e588d1132bc.exe	79
PID 2564 wrote to memory of 852	2564	6f723cd9002531ad31487e588d1132bc.exe	80
PID 2564 wrote to memory of 852	2564	6f723cd9002531ad31487e588d1132bc.exe	80
PID 2564 wrote to memory of 852	2564	6f723cd9002531ad31487e588d1132bc.exe	80
PID 2564 wrote to memory of 1252	2564	6f723cd9002531ad31487e588d1132bc.exe	81
PID 2564 wrote to memory of 1252	2564	6f723cd9002531ad31487e588d1132bc.exe	81
PID 2564 wrote to memory of 1252	2564	6f723cd9002531ad31487e588d1132bc.exe	81
PID 2564 wrote to memory of 668	2564	6f723cd9002531ad31487e588d1132bc.exe	84
PID 2564 wrote to memory of 668	2564	6f723cd9002531ad31487e588d1132bc.exe	84
PID 2564 wrote to memory of 668	2564	6f723cd9002531ad31487e588d1132bc.exe	84
PID 2564 wrote to memory of 280	2564	6f723cd9002531ad31487e588d1132bc.exe	117

System policy modification 1 TTPs 48 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f723cd9002531ad31487e588d1132bc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
"C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\alg\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\networkmap\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rgb9rast\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Application Data\6f723cd9002531ad31487e588d1132bc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xSIOjU0uCj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
    "C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\bdaplgin\lsass.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\Idle.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\6f723cd9002531ad31487e588d1132bc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ntshrui\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\api-ms-win-core-delayload-l1-1-0\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
      "C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twunk_32\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\6f723cd9002531ad31487e588d1132bc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\RpcPing\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\JavaScriptCollectionAgent\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\IcCoinstall\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f723cd9002531ad31487e588d1132bc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\twext\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Application Data\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\OSPPSVC.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
      - C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a7529b-174e-4980-843b-92d64bb3cf76.vbs"
        7⤵
        
        PID:888
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\419a70de-3e56-4420-93d0-ad21d42098a4.vbs"
        9⤵
        
        PID:2464
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d6084c-4627-40be-a7f6-42e15408fd36.vbs"
        11⤵
        
        PID:2152
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed06c5b0-0bde-406b-b416-a43eb8cb4fa5.vbs"
        13⤵
        
        PID:1232
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7afdfb1-b275-4a16-87ec-35ff40bd2d58.vbs"
        15⤵
        
        PID:352
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137d12c0-234d-47e1-aa6e-0f9fec845250.vbs"
        17⤵
        
        PID:2408
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62947bd-7a33-493a-bc9d-bcc4588ecc7b.vbs"
        19⤵
        
        PID:1820
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25508098-5433-4619-a8f0-5222965040ef.vbs"
        21⤵
        
        PID:296
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68b635a-c0d7-4061-91a1-33a9031d960d.vbs"
        23⤵
        
        PID:848
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc02473-410c-487d-bb67-d06be2be0262.vbs"
        25⤵
        
        PID:1108
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\affab3f3-9a6b-490e-9dd6-9be4fcb17041.vbs"
        27⤵
        
        PID:872
        
        C:\ProgramData\Application Data\explorer.exe
        
        "C:\ProgramData\Application Data\explorer.exe"
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f78bb6f-9b12-444c-8fa7-7acc20aad863.vbs"
        29⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\477bdde9-064c-49be-b41d-95510dddec70.vbs"
        29⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\177efa1f-d3dd-4d5c-9f11-12fcb3053eb5.vbs"
        27⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb9fad5-6417-434f-92b7-502001843a4b.vbs"
        25⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0a11494-be0d-4a1d-8797-5a3ef3a9c893.vbs"
        23⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a35ad5-d0ea-41c8-b206-6ab6d5211507.vbs"
        21⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dfcfeb-2f7f-4c9f-a8f6-53a3168a54b3.vbs"
        19⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27843b6f-f95e-4b2e-ac28-a31c7a858b53.vbs"
        17⤵
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18290c86-2e50-47d3-a898-59b8d56e07a9.vbs"
        15⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c43a5aaf-094a-437c-970d-ed5b7b090508.vbs"
        13⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\802cfcfe-b9be-46e1-9a26-393e32b884e7.vbs"
        11⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7074b769-ae4a-4aa2-a1ca-ed987fbc2f4c.vbs"
        9⤵
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1adbefc5-ee7c-44ef-a89b-48c23e81bd19.vbs"
        7⤵
        
        PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\alg\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\networkmap\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\rgb9rast\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f723cd9002531ad31487e588d1132bc" /sc ONLOGON /tr "'C:\ProgramData\Application Data\6f723cd9002531ad31487e588d1132bc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\bdaplgin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f723cd9002531ad31487e588d1132bc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\6f723cd9002531ad31487e588d1132bc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\ntshrui\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-delayload-l1-1-0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twunk_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f723cd9002531ad31487e588d1132bc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\6f723cd9002531ad31487e588d1132bc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\RpcPing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\JavaScriptCollectionAgent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\IcCoinstall\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-458878355-1110160431709094861-138038636-106003542-568451625950389316-1996133132"
1⤵
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\twext\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Application Data\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\TAPI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6f723cd9002531ad31487e588d1132bc.exe

Filesize
1.1MB

MD5
6f723cd9002531ad31487e588d1132bc

SHA1
c794aab74ea0c76d1c077ca87d175014bc76f0f5

SHA256
c9206100b2d07324c79a83cb515893a79d39a1de3a6dac7a72a7b167c41b6910

SHA512
198154faa272369a965747852699d562c43622f9fbe94daf2cd4d62c63e64f7c542904e582f074f57843fb35e5db500149ee58c1826d733688e54eb6da6ad5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\06a7529b-174e-4980-843b-92d64bb3cf76.vbs

Filesize
720B

MD5
ad4d74c5bcf15503a515e7422accf042

SHA1
7cdecec277cc1f598040602b0dc7c30b659e5fe5

SHA256
9eea1b7eeaea433e08bb91ff95703371519104ed38ffb554ec6ebf8f980aa51b

SHA512
fe0ce5609f6fea369486dedc226afa3a0a162c4d2e325d963505aaa3242e47fcb35149ffa2f17e9c21f0614ded8552f4ccc8a31358fe8763e9ae9b53b70e1fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\137d12c0-234d-47e1-aa6e-0f9fec845250.vbs

Filesize
720B

MD5
1f58c72dca0aec41f691b856a59fcaf7

SHA1
f7bab408bbc143ca7536ca1ea48d77e2960722f8

SHA256
cbde481a67821a2a469aff52f4d7a397e813b896fd778a54911155499d315d8f

SHA512
3ef5e27ca6d66e8da948556ad66da109208a57d78f92501c97f69e56e66a1d58c6a7c1d2273a68ab45ea409d68ddfd9b3425e1f4d05e1fc80ad31abdc25536c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1adbefc5-ee7c-44ef-a89b-48c23e81bd19.vbs

Filesize
496B

MD5
1fa047c7b4381a41a5bf78fb834ba3c1

SHA1
b45daf4b2a67cafc0326c96ec0694206ea1852ae

SHA256
763318eab5a184ae9c5b0cb4b443674b6acfb2fbf0d6d9a7884a73fcb0fbf2e6

SHA512
77f3507ab0151f3b760a03be38f82a300ac7cc894ca339f5aa3730aaabf6e3063328a7b14cfef812a63b40a66397b74c05453a0e51c06116bb7fd08297e3a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\38d6084c-4627-40be-a7f6-42e15408fd36.vbs

Filesize
720B

MD5
db320bccfc9433b791e87cb81f5f2890

SHA1
2580925ed058f4178842ae8fbb77365546dff4e9

SHA256
b58d31be501345275cc8bce5fac8fcdf59e195cfb9ca159b8fab2893bce3aa6c

SHA512
84dcd7890d88de8f47d8ecc7301e60eb91d589568d08ee90d8564625b8b02770fb241ff8db9f3f83cd5165801be276cbd0b6e9358a426848f5d4cbd3fa1d2ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\419a70de-3e56-4420-93d0-ad21d42098a4.vbs

Filesize
720B

MD5
2ea83c6288b32de718c4ed734c0ac95f

SHA1
c83564fb88d58df685147ca0f32fbe6493183448

SHA256
c16aec8201d9db48a58d28f141afc7a415e8504990cb6a7ae3bafdcdd39dac8a

SHA512
cb616a686672021d3db39ff196c1a1bb096c03180e0304aceecb662704b1829736d2e9ae0092caddcb8103b96ef13995bf72a3f63ba1a50a9b88970f4732c5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\b62947bd-7a33-493a-bc9d-bcc4588ecc7b.vbs

Filesize
720B

MD5
5a0c7afeb6863357edb39e4a8359e5dd

SHA1
80a0723499f0e20639af340ae1fcd006d3e22339

SHA256
a6c3c3c876ae1186cab8c049c93a0e1267e9a4c81aaf8def5cdd3930842a5cae

SHA512
7ac17c80379aeccff2fd259f773e3a70fca4fa0116c7a6c7fdcca982f2aaeb6ff0280e1878c8beb277d3d08629bddffff8529b7ad7b8e1896f0ed81fb4c55b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7afdfb1-b275-4a16-87ec-35ff40bd2d58.vbs

Filesize
720B

MD5
a905fd97c5fac0dbf4be86359c08242f

SHA1
8b2413adf2d9d8c191840200d7b3e94651901bb9

SHA256
0b106c333c9fb568423308266957e8800aa77de4f3574e8bcf3fab8372a0fd79

SHA512
5d9f6850c02c036143858644a426f5f34cdf9dadeadf1bbd47b0ab2951b1a835f7d4ae89326ec6bf0815ed60c165d6da41964ad12b192e2e3e8cdc4df01ccd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed06c5b0-0bde-406b-b416-a43eb8cb4fa5.vbs

Filesize
719B

MD5
270a104dd379692d0365f7be90eaf9d4

SHA1
cf8b5709d0ccab0083c6db3bea208026537c01c6

SHA256
5a5c91f0d2e954de249fc29b7e349bd0772b1fdfca5d56bf6570f5800256fe3b

SHA512
8f7ba4f1779f1a073e42442966698a038235becd5ac1ea2a7b877b4e510d126c23be8e28b28b585e2c38f436acba347336f81ac68e2883fa6e67d4948630e38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
504B

MD5
e02e227a88cc86898b146248b914528a

SHA1
f0879f8d4325dbd8f32c48b93169b69dcfb77423

SHA256
e37350600d9f9617c9c11f0fe204c54602348bac34860643898d8473239ccfe1

SHA512
8a94de28f6b0da4807b4b801167e43ee2fed9d0d329e86689d04c8936b3bc36b23ccb91189feafc2ea3018373e13963c7f97be7a2b210dc6eac9494a6235c9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
512B

MD5
8256bd8a5a8deec77ce6d25e6a28340a

SHA1
707316a33618748ba3db2546dee3ec155d23d1a7

SHA256
affa799ef1824ed3187e49c5ad8a20fc7fc4bb23d97bc89dd78477c01cb59c61

SHA512
c749784862e885dab7b25314137a74ca23756cf4ffc56655dd102e7ad33fec4c3119fbaad9b336c21b53c0b35a9203fc67a56815370a61acbca49072eace3fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
412B

MD5
afc52ebb9dad4837985ae2e1feed6bdc

SHA1
d7f0ca924df9b94e2051a5c7bca0ec5f86234f19

SHA256
885a792431f35fc939f8e604a91072ef7226010c6e8ac92f614c484b149a1b13

SHA512
2d841b4a1d015e184fa85e9e64435eb03c1e221180dddb2f7baeac6db524f7c423dfa3a226c88aa8a116e09df2e64b226cd9ffc8007ceef8ebac2011ad8d9af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xSIOjU0uCj.bat

Filesize
234B

MD5
a1be1c1d8eb29af9b37943206bb9b51d

SHA1
61fdfed8d86d5ffbb0e4daebb12a24fc709454c3

SHA256
15d644a2579a5373ab7edabb60352dd92c08568626e4c09cab399b2d9e7fd68c

SHA512
bece421c32292f4b5de639371c25eb303c04397fe7e79d94257c474609b9417419d53a2cf4e2fb9e5dd5523bbe6f058a11f8dca32478dc72f20b960e036a2bfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94970104983dc934166561a865e6964c

SHA1
7a8523c3db2f0771eb6aa07cd2b2c1b719e0804f

SHA256
06cd1c0aa7035c79ec313b9fa8794ad9234d480e91a51dc81ab4f51628b11244

SHA512
95940a672d65d02513853b13d8928dede8c0650a082d0b45656eb614da6f467ece38aafb596b122632db0c06317eb784d14384f10cec1af51a60d3e74a2d5acc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6b738ebfc2de68434650d0c49737e4e3

SHA1
83aa9f0148787bfcdf414d0a2076c3f307cb3b23

SHA256
e91c52bc0bbc47b524158dde683202c630f98ec724853fb19b51ffdbd2f095fa

SHA512
cfe18c22cdd35013b3395c5f4bdb4b84431324156813b0e9bb943b132a7d39fe8a7167e64e41b2f89d3256787426f6bfa18b19223d1d02523921850edab802f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a7f79d80d36cbf2b999146c56d27d6c

SHA1
0777def7ad30180d23053b3bdaf00abfb27b1051

SHA256
ce30b10545c044f561cdbf36a77eb7d2117390bd35b3af79e65b166f4cd0b7f8

SHA512
1c53d7ade716359dbe746ab848f0f8f8011ea35554e3a66081544060f50a9f275b93c9e31c328a23314d30cd012692e5e5ca42766eb3026f0da9ff02849bba15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8e404a809505f239230497e89369d7ae

SHA1
2abb41f6826f3f201f80f46529173adf353e3548

SHA256
ddce3973bc4660b4d3851a70847106664e397f2e0d69f1cec84fe9f8eb3535c6

SHA512
b54ebefbc3b6608d73fc4a5de521795da6a2faebc6293b68d0c1a00fce5f649e456db8f3e760d11b9eef56346794455c0b73eaf00ebd316f06a97ce3fcd02677

Download Submit
memory/836-331-0x0000000001380000-0x0000000001494000-memory.dmp

Filesize
1.1MB

Download
memory/1632-319-0x00000000010E0000-0x00000000011F4000-memory.dmp

Filesize
1.1MB

Download
memory/1764-111-0x0000000001180000-0x0000000001294000-memory.dmp

Filesize
1.1MB

Download
memory/2296-108-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2324-101-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2388-396-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2428-144-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-167-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2472-64-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-9-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2472-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2472-102-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-71-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-20-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2472-21-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2472-50-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-6-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2472-8-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2472-17-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2472-12-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2472-14-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2472-24-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2472-13-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2472-18-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2472-11-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2472-10-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2472-1-0x0000000000800000-0x0000000000914000-memory.dmp

Filesize
1.1MB

Download
memory/2472-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2472-15-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2472-3-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2472-16-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2472-5-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2472-4-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2472-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-296-0x0000000001070000-0x0000000001184000-memory.dmp

Filesize
1.1MB

Download
memory/2644-307-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\", \"C:\\Windows\\System32\\twext\\spoolsv.exe\", \"C:\\Windows\\Tasks\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\", \"C:\\Windows\\System32\\twext\\spoolsv.exe\", \"C:\\Windows\\Tasks\\wininit.exe\", \"C:\\ProgramData\\Application Data\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\it-IT\\WmiPrvSE.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\", \"C:\\Windows\\System32\\twext\\spoolsv.exe\", \"C:\\Windows\\Tasks\\wininit.exe\", \"C:\\ProgramData\\Application Data\\explorer.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\", \"C:\\Windows\\System32\\twext\\spoolsv.exe\", \"C:\\Windows\\Tasks\\wininit.exe\", \"C:\\ProgramData\\Application Data\\explorer.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\it-IT\\WmiPrvSE.exe\", \"C:\\Windows\\TAPI\\OSPPSVC.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\", \"C:\\Windows\\System32\\networkmap\\taskhost.exe\", \"C:\\Windows\\System32\\rgb9rast\\smss.exe\", \"C:\\ProgramData\\Application Data\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\bdaplgin\\lsass.exe\", \"C:\\Users\\Admin\\Music\\Idle.exe\", \"C:\\MSOCache\\All Users\\wininit.exe\", \"C:\\PerfLogs\\Admin\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\ntshrui\\csrss.exe\", \"C:\\Windows\\System32\\api-ms-win-core-delayload-l1-1-0\\taskhost.exe\", \"C:\\Windows\\twunk_32\\explorer.exe\", \"C:\\Windows\\Registration\\CRMLog\\6f723cd9002531ad31487e588d1132bc.exe\", \"C:\\Windows\\System32\\RpcPing\\lsass.exe\", \"C:\\Windows\\System32\\JavaScriptCollectionAgent\\sppsvc.exe\", \"C:\\PerfLogs\\Admin\\System.exe\", \"C:\\Windows\\System32\\IcCoinstall\\wininit.exe\", \"C:\\Windows\\System32\\twext\\spoolsv.exe\""	6f723cd9002531ad31487e588d1132bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\spoolsv.exe\", \"C:\\Windows\\System32\\alg\\smss.exe\""	6f723cd9002531ad31487e588d1132bc.exe