dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d6911ed247a840f2f372a605a99407.exe
Size

1.1MB
MD5

73d6911ed247a840f2f372a605a99407
SHA1

595953dd65ceb6ce48af99d0e4533ac711681733
SHA256

e1dacd883b37c7e481b4fc643b5628e061155f7c4f37874907ac2c8a5e66d7c0
SHA512

ba7b325ca5ff67273ebe485904d7981f8d70b3b2e9647c2f702bb0e6f3058faf35d4fab1351deaadf8fb126517595766d7039ee56b97c21fff36a43026696544
SSDEEP

12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\", \"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\", \"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\wbem\\wmitimep\\unsecapp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\", \"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\wbem\\wmitimep\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Devices.Printers\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\", \"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\", \"C:\\Windows\\System32\\wbem\\wmitimep\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Devices.Printers\\sihost.exe\", \"C:\\Windows\\System32\\asycfilt\\SppExtComObj.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\inetmib1\\sihost.exe\", \"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\""	73d6911ed247a840f2f372a605a99407.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5348	5964	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5964	schtasks.exe	88

UAC bypass 3 TTPs 54 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
60	powershell.exe
5596	powershell.exe
5788	powershell.exe
3120	powershell.exe
2968	powershell.exe
4604	powershell.exe
1720	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	73d6911ed247a840f2f372a605a99407.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	73d6911ed247a840f2f372a605a99407.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 17 IoCs

pid	Process
1380	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
4936	StartMenuExperienceHost.exe
5256	StartMenuExperienceHost.exe
820	StartMenuExperienceHost.exe
5208	StartMenuExperienceHost.exe
1524	StartMenuExperienceHost.exe
5000	StartMenuExperienceHost.exe
3320	StartMenuExperienceHost.exe
1236	StartMenuExperienceHost.exe
2476	StartMenuExperienceHost.exe
6040	StartMenuExperienceHost.exe
792	StartMenuExperienceHost.exe
4352	StartMenuExperienceHost.exe
1072	StartMenuExperienceHost.exe
4100	StartMenuExperienceHost.exe
5160	StartMenuExperienceHost.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\inetmib1\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\wmitimep\\unsecapp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\wmitimep\\unsecapp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\Windows.Devices.Printers\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\asycfilt\\SppExtComObj.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Internet Explorer\\StartMenuExperienceHost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\inetmib1\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\upfc.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Search.Core\\SearchApp.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\Windows.Devices.Printers\\sihost.exe\""	73d6911ed247a840f2f372a605a99407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\asycfilt\\SppExtComObj.exe\""	73d6911ed247a840f2f372a605a99407.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	73d6911ed247a840f2f372a605a99407.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Windows.Devices.Printers\RCXBD99.tmp	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\inetmib1\66fc9ff0ee96c2	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\Windows.Devices.Printers\66fc9ff0ee96c2	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\inetmib1\RCXB519.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\wbem\wmitimep\RCXBB94.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\wbem\wmitimep\unsecapp.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\Windows.Devices.Printers\sihost.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\asycfilt\e1ef82546f0b02	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\inetmib1\sihost.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\inetmib1\sihost.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\wbem\wmitimep\unsecapp.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\wbem\wmitimep\29c1c3cc0f7685	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Printers\sihost.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\asycfilt\RCXBF9E.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\System32\asycfilt\SppExtComObj.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\System32\asycfilt\SppExtComObj.exe	73d6911ed247a840f2f372a605a99407.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Program Files\Internet Explorer\55b276f4edf653	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXB315.tmp	73d6911ed247a840f2f372a605a99407.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe	73d6911ed247a840f2f372a605a99407.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\38384e6a620884	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\RCXB990.tmp	73d6911ed247a840f2f372a605a99407.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe	73d6911ed247a840f2f372a605a99407.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	73d6911ed247a840f2f372a605a99407.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4904	schtasks.exe
4648	schtasks.exe
4668	schtasks.exe
4760	schtasks.exe
4728	schtasks.exe
5348	schtasks.exe
4784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
1700	73d6911ed247a840f2f372a605a99407.exe
60	powershell.exe
60	powershell.exe
3120	powershell.exe
3120	powershell.exe
5596	powershell.exe
5596	powershell.exe
2968	powershell.exe
2968	powershell.exe
4604	powershell.exe
4604	powershell.exe
1720	powershell.exe
1720	powershell.exe
1800	powershell.exe
1800	powershell.exe
5788	powershell.exe
5788	powershell.exe
5596	powershell.exe
60	powershell.exe
3120	powershell.exe
2968	powershell.exe
4604	powershell.exe
5788	powershell.exe
1720	powershell.exe
1800	powershell.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe
2316	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	73d6911ed247a840f2f372a605a99407.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1380	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2316	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4936	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5256	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	820	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5208	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1524	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5000	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3320	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1236	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2476	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	6040	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	792	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4352	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1072	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4100	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5160	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3120	1700	73d6911ed247a840f2f372a605a99407.exe	99
PID 1700 wrote to memory of 3120	1700	73d6911ed247a840f2f372a605a99407.exe	99
PID 1700 wrote to memory of 2968	1700	73d6911ed247a840f2f372a605a99407.exe	100
PID 1700 wrote to memory of 2968	1700	73d6911ed247a840f2f372a605a99407.exe	100
PID 1700 wrote to memory of 4604	1700	73d6911ed247a840f2f372a605a99407.exe	101
PID 1700 wrote to memory of 4604	1700	73d6911ed247a840f2f372a605a99407.exe	101
PID 1700 wrote to memory of 1720	1700	73d6911ed247a840f2f372a605a99407.exe	102
PID 1700 wrote to memory of 1720	1700	73d6911ed247a840f2f372a605a99407.exe	102
PID 1700 wrote to memory of 1800	1700	73d6911ed247a840f2f372a605a99407.exe	103
PID 1700 wrote to memory of 1800	1700	73d6911ed247a840f2f372a605a99407.exe	103
PID 1700 wrote to memory of 60	1700	73d6911ed247a840f2f372a605a99407.exe	104
PID 1700 wrote to memory of 60	1700	73d6911ed247a840f2f372a605a99407.exe	104
PID 1700 wrote to memory of 5596	1700	73d6911ed247a840f2f372a605a99407.exe	105
PID 1700 wrote to memory of 5596	1700	73d6911ed247a840f2f372a605a99407.exe	105
PID 1700 wrote to memory of 5788	1700	73d6911ed247a840f2f372a605a99407.exe	106
PID 1700 wrote to memory of 5788	1700	73d6911ed247a840f2f372a605a99407.exe	106
PID 1700 wrote to memory of 660	1700	73d6911ed247a840f2f372a605a99407.exe	115
PID 1700 wrote to memory of 660	1700	73d6911ed247a840f2f372a605a99407.exe	115
PID 660 wrote to memory of 5308	660	cmd.exe	117
PID 660 wrote to memory of 5308	660	cmd.exe	117
PID 660 wrote to memory of 1380	660	cmd.exe	120
PID 660 wrote to memory of 1380	660	cmd.exe	120
PID 1380 wrote to memory of 1584	1380	StartMenuExperienceHost.exe	121
PID 1380 wrote to memory of 1584	1380	StartMenuExperienceHost.exe	121
PID 1380 wrote to memory of 2004	1380	StartMenuExperienceHost.exe	122
PID 1380 wrote to memory of 2004	1380	StartMenuExperienceHost.exe	122
PID 1584 wrote to memory of 2316	1584	WScript.exe	124
PID 1584 wrote to memory of 2316	1584	WScript.exe	124
PID 2316 wrote to memory of 4436	2316	StartMenuExperienceHost.exe	125
PID 2316 wrote to memory of 4436	2316	StartMenuExperienceHost.exe	125
PID 2316 wrote to memory of 4812	2316	StartMenuExperienceHost.exe	126
PID 2316 wrote to memory of 4812	2316	StartMenuExperienceHost.exe	126
PID 4436 wrote to memory of 4936	4436	WScript.exe	127
PID 4436 wrote to memory of 4936	4436	WScript.exe	127
PID 4936 wrote to memory of 5544	4936	StartMenuExperienceHost.exe	128
PID 4936 wrote to memory of 5544	4936	StartMenuExperienceHost.exe	128
PID 4936 wrote to memory of 2660	4936	StartMenuExperienceHost.exe	129
PID 4936 wrote to memory of 2660	4936	StartMenuExperienceHost.exe	129
PID 5544 wrote to memory of 5256	5544	WScript.exe	134
PID 5544 wrote to memory of 5256	5544	WScript.exe	134
PID 5256 wrote to memory of 3080	5256	StartMenuExperienceHost.exe	135
PID 5256 wrote to memory of 3080	5256	StartMenuExperienceHost.exe	135
PID 5256 wrote to memory of 1732	5256	StartMenuExperienceHost.exe	136
PID 5256 wrote to memory of 1732	5256	StartMenuExperienceHost.exe	136
PID 3080 wrote to memory of 820	3080	WScript.exe	138
PID 3080 wrote to memory of 820	3080	WScript.exe	138
PID 820 wrote to memory of 5980	820	StartMenuExperienceHost.exe	139
PID 820 wrote to memory of 5980	820	StartMenuExperienceHost.exe	139
PID 820 wrote to memory of 2108	820	StartMenuExperienceHost.exe	140
PID 820 wrote to memory of 2108	820	StartMenuExperienceHost.exe	140
PID 5980 wrote to memory of 5208	5980	WScript.exe	141
PID 5980 wrote to memory of 5208	5980	WScript.exe	141
PID 5208 wrote to memory of 1104	5208	StartMenuExperienceHost.exe	142
PID 5208 wrote to memory of 1104	5208	StartMenuExperienceHost.exe	142
PID 5208 wrote to memory of 3012	5208	StartMenuExperienceHost.exe	143
PID 5208 wrote to memory of 3012	5208	StartMenuExperienceHost.exe	143
PID 1104 wrote to memory of 1524	1104	WScript.exe	144
PID 1104 wrote to memory of 1524	1104	WScript.exe	144
PID 1524 wrote to memory of 5776	1524	StartMenuExperienceHost.exe	145
PID 1524 wrote to memory of 5776	1524	StartMenuExperienceHost.exe	145
PID 1524 wrote to memory of 1192	1524	StartMenuExperienceHost.exe	146
PID 1524 wrote to memory of 1192	1524	StartMenuExperienceHost.exe	146
PID 5776 wrote to memory of 5000	5776	WScript.exe	147
PID 5776 wrote to memory of 5000	5776	WScript.exe	147

System policy modification 1 TTPs 54 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	73d6911ed247a840f2f372a605a99407.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe
"C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\73d6911ed247a840f2f372a605a99407.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\inetmib1\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\wmitimep\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Devices.Printers\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\asycfilt\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\101oBMA505.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5308
- - C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
    "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1380
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c046f622-7058-4890-b924-0a083ff1e435.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2316
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313011df-f9c4-4070-ac51-74ce6bf4790f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e9bb898-e6fa-47cd-9522-3e8086597f7a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5544
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440552e6-a216-4cd5-9141-70e6f6875a67.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab26d314-84ff-48e4-85a3-e4730d563624.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5980
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e34126-b87c-4208-85ff-e348bbc3a752.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bfff5d3-052c-43b1-81d0-64938c90828d.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823dd8fa-1c5a-4c0e-8411-93cdad9224ec.vbs"
        18⤵
        
        PID:2472
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce2e6aa-bece-41b3-864e-c7a62fac1101.vbs"
        20⤵
        
        PID:4048
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df0ccb9-120e-404b-92fe-3c8a549dcdc5.vbs"
        22⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2c525d0-c1b9-4631-84f9-a259a506fe2b.vbs"
        24⤵
        
        PID:540
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc1b777f-0289-4049-9d26-654d26977efa.vbs"
        26⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaa87fa6-c89d-4654-8642-4415b209b529.vbs"
        28⤵
        
        PID:2072
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e718ed0e-258f-48df-9579-d272b98f89b0.vbs"
        30⤵
        
        PID:2268
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dca6d64-96e6-411c-b088-0167cf0667b0.vbs"
        32⤵
        
        PID:5052
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f75e7995-5b79-4175-b2fb-3ff1f5c57575.vbs"
        34⤵
        
        PID:3244
        
        C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe"
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e65600f-ccd5-4eb2-a06a-d139ac978ea0.vbs"
        36⤵
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d65b958f-f71a-4446-86a6-566d38b2e1da.vbs"
        36⤵
        
        PID:5592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fde2c27c-29f2-4ada-b82e-2303051fe1c6.vbs"
        34⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fff8b28-81ba-4b75-aecb-50720a2d0aa7.vbs"
        32⤵
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa235b1-cb65-412a-8768-df32170b433a.vbs"
        30⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffa6a5ef-9360-46ec-9a8f-1844c005552c.vbs"
        28⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e98d9c2c-4217-4f4f-8bca-73b50c4a1ead.vbs"
        26⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cd6be20-c006-46ff-91c1-dd5563a85f1c.vbs"
        24⤵
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f10908-f05a-40c7-8299-cfe4dffe6d86.vbs"
        22⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45d5e321-192b-4900-a202-39208ad72feb.vbs"
        20⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e3ba68-8156-4800-9fce-9d3fd55c94e7.vbs"
        18⤵
        
        PID:5156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f491434-6b8f-4805-ae2a-01a01a249597.vbs"
        16⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e6e2d10-7f18-453b-9e46-1eec7e37f29a.vbs"
        14⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21d22268-a151-463b-b2fa-1809e1fe8b9a.vbs"
        12⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0e54f0-858b-4424-876b-63e141f57265.vbs"
        10⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\630b307c-3e80-4b06-9987-38dfbe5640e4.vbs"
        8⤵
        
        PID:2660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1c90f11-aade-44ef-bef6-60a214f09bc0.vbs"
        6⤵
        
        PID:4812
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74b09d38-fd8a-4076-8f97-1ffb46e1e62b.vbs"
      4⤵
      PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\inetmib1\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Search.Core\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wmitimep\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Devices.Printers\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\asycfilt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3196c875759f12b19de76e7989c1ade

SHA1
2a9c952b123b87c988caf9bf64fc5fd777b5c876

SHA256
5f2b6782f01575ba7a1e68e3d46995679700b506293536afdb7b43cdd80628ed

SHA512
5493bb1c8af856285f9ba79aa8a58763861bbaf2f4abac7248761cc5bce77f9e132bf108f4e13b2ff95042647e5384e74167ed4301f8d59e308bbce1f93eb5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c79cf713064165d9921621736789b679

SHA1
4d8b3c69ddab8dd528496de06ce7e6e6c2758389

SHA256
6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

SHA512
22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\101oBMA505.bat

Filesize
226B

MD5
be676cdb770bf6242fb702a35c351877

SHA1
c7ba7401bd4f17c9179a370d50127793bd99c646

SHA256
9933346971ef6c41a38365fb561b7d18c27824a32f0bceac8272cccfc63a675b

SHA512
e5e6090b8b8f19e2bb65dc8758406013be58757d88a8fd9b2f2cf17d55d098d10a6c50da085255ce3d6ac3b7fb820b0f64389d170a8bde28d7b07be019eee258

Download Submit
C:\Users\Admin\AppData\Local\Temp\313011df-f9c4-4070-ac51-74ce6bf4790f.vbs

Filesize
738B

MD5
42211b26281a6177041a598d2a44b7a7

SHA1
f3ba02cf6f6e3c1a1bc71e243ebdc6dc01ed23f2

SHA256
46a0e2d14100829cdd33859ce346a64cefbb099e03bbe54bf99a038c50d8402c

SHA512
91d0349cae939e45abab0cb70c06f4061e9e9362f53bd9240949c3b1f0ea7d4a961207995366623e4b0ba507aa2952de70d4a15f7670038e659d5735e84aa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\440552e6-a216-4cd5-9141-70e6f6875a67.vbs

Filesize
738B

MD5
e2d2b0ebde8c5bc0c7be16e25c1a464a

SHA1
8918f7a692cde81292f5c83e7459ab1b175f226f

SHA256
6cf321044ef19f903f21063fd4b13b03df1874c4c106025b1ae55b768d41561a

SHA512
6871a8bc95194274cc4dfd1a93141e7ccbb246fafe3f32d94fab2359e08edca1afdf468125002f8c67d79730973864de2b28a3085a262a76d2e5eadc916d2f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bfff5d3-052c-43b1-81d0-64938c90828d.vbs

Filesize
738B

MD5
8e4eae1b403fb2c9c9db9d6e75b66de9

SHA1
5fbd0ef2d3f90f455ca8f058171d526f9a8ed853

SHA256
72d3d1295e475602787d799cc12d51cf2e858045125b4aba552e6ebd07575aa5

SHA512
e247d6975a7774e732d0a5ab5814640bdf5c511f848d2e6bc7483718756be10031689ce0605e23b88a7a42d44b0e485dd4770bd6353d13db695cdcfe6752fb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e9bb898-e6fa-47cd-9522-3e8086597f7a.vbs

Filesize
738B

MD5
1f38777bfc7a74e8961869b520b654a0

SHA1
0e883ca7a5c69dc61ff8976ada7c56843de1ed3d

SHA256
f4b8ae39d5ff5b556b00eeeeffcbbdadb7c0a11b6bd28b9f809f5150d7c3cd90

SHA512
a80d5c3bc00ab126107240fae5e6ad6433559eee83825f36118e64cfceaf73195083c374f606e4025685c7e54911c4efe93ea7c17942e44c97b190936ba7915d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5df0ccb9-120e-404b-92fe-3c8a549dcdc5.vbs

Filesize
738B

MD5
31d16e30d0dd12a118c2fbff2289024e

SHA1
4b5748ff7902a3cdbbfdbc6da135feeb9d7c9fee

SHA256
bbd2c98eb2166791a1f1bccfbad031d40ffae622e4af3cd02fcbafbdd04b4468

SHA512
45c8cd0fe647ca7cab17282a4293b84a7d45a5feabf7c003d6a5b7e9fd5b5c47aefacbf960413038a2baacf03b248761c18284958ff5fcc652be04e32296d835

Download Submit
C:\Users\Admin\AppData\Local\Temp\74b09d38-fd8a-4076-8f97-1ffb46e1e62b.vbs

Filesize
514B

MD5
313de0fedb40ec6416e74fb8e0ed4a39

SHA1
00284ea3ab3c2f189a180f6bcb9bf8f7a7a92461

SHA256
a0974f9be2e84667772cfc89ca99fbb5acc5d78ce44c627df56d9754b3792a04

SHA512
4f36812c711e5f4449254da300abd0fee0934c3515657052c0dbaf5b55ebe8411802544d7443795a2b5e918c0137038892278e7dd6f40aa0c7abda1f23f4cd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\823dd8fa-1c5a-4c0e-8411-93cdad9224ec.vbs

Filesize
738B

MD5
d007ac7b805ecad3e157b939a6744a6a

SHA1
16ceca7b0335e9f2059ce92d03c3f5a022156561

SHA256
438113e77885aba8f17149247bde2fb5d301593ffd730e93119b1a967232cad1

SHA512
fb999b9baddb4b021d6858eaad9c09d383ccb78df3ef92900605edfd29810bec672e8187d09fdf9901c9b311c38f4f3b96bb0adab647c2e6d63d66dc40ac6d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\86e34126-b87c-4208-85ff-e348bbc3a752.vbs

Filesize
738B

MD5
246c93f5994215b1ddd381cfa35437bf

SHA1
08342311159045698fd9d58aae94f93d5d0caf25

SHA256
c7e7651e8a357225533a5427f6e4c0f195f820f4586a37f100b52fc50bcbb7ae

SHA512
cff8c956d7d0cce119d36ec7dd89c9aa59264fae29a7d74a387d1581b4ad4356c6868f4d3b67356230d2d0670264d6d4c06e9e5c3e49b98c580adcaf31af2f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmjysrmb.o20.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab26d314-84ff-48e4-85a3-e4730d563624.vbs

Filesize
737B

MD5
a5241e2f5ecace4f55b126c733f10a46

SHA1
20dc30a82c854d024394f699ecf106d3c6f12bf1

SHA256
d295143873df04133c9a93c945210fac53ae562d0edd8ce5b3aa69e80a256c5e

SHA512
e7a923b6722ef0caa35c2624a2b2c4fe08bd7c0fd3c3d81bc23ffc96605c78e303d486214dd3c67fc025057ae21e3e5c12c209ad3dde7972997d41ba4b8a4a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2c525d0-c1b9-4631-84f9-a259a506fe2b.vbs

Filesize
738B

MD5
d12c0fe3fadc89e1970ee5682695b0f0

SHA1
4d743d94a398ed052e124bd455b49c14bd3ddfda

SHA256
62a0b91e4aeca6f107aefa76f1408567ccd1dc3b7d669e1e8a439b87f1b174b7

SHA512
70391e2726ffc91d3720daf661f7a32609e12792ebb3484f39a8c242afbcdaf1e65220052042ceca05258037d3a6f50b0b0ebf83e44989e8552e9266d635d65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bce2e6aa-bece-41b3-864e-c7a62fac1101.vbs

Filesize
738B

MD5
ff8d2be42f1dfab9057824a9443d8d59

SHA1
68abacf945b9e67384349ebf605b1ecee5cba280

SHA256
09b4965b627343d9992d6718f952ad76c36fc10a5480d9ac1f30e57ab493d3f0

SHA512
bf48dc07c5ba191c0dadcd23ed9fc5965c23fc351a2677700e3264ca00e87080e3c638ec499e789515c0d1c5b9175a1329c931a6735f3c286d46008146c6ee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c046f622-7058-4890-b924-0a083ff1e435.vbs

Filesize
738B

MD5
e31778d52257b70b295ccfff5a87a209

SHA1
069759729e281524572c6514bdb18d9236db761f

SHA256
21ce38b846c2fb3ace8d17f7832660ced176a129fd7dfe0844db0aa7bd8cfbad

SHA512
e302f4d20c04aabf04ec652c66eafc5e2097a7c3efb26ae5b85bb62feb64677a6839d2df4cf7ecdebf2857c762748e0f876569cb79f96cbb27bdfc26075cab3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaa87fa6-c89d-4654-8642-4415b209b529.vbs

Filesize
737B

MD5
80d141077906235e028041b6bce4b945

SHA1
9a107e75f5871ab0c70ca43215a01865aae010ea

SHA256
1fc7b63491c920d77e95afdbf6eefff4c3b85c525ec05065c62b0792d6d831c8

SHA512
75cbb91413e43079852f4ff6be75d8d15d25a330de35fa95672cfec5cc22bf23363df339e4515f348e7d4c356b83acb9afa083fd328cf16569187595331013c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc1b777f-0289-4049-9d26-654d26977efa.vbs

Filesize
738B

MD5
0b4db684a4d4ba2a41a676ca17141cf2

SHA1
c2783e4787905a533effc1552b00d6f7d5f3b333

SHA256
cac5945b81bf522d8df4250c0ea5c78298271f10eaf70e4f06c2648289af7b7c

SHA512
fb9ed98aa216c0495a7dd9aa7a75f9bcf928c9f5f953fa9ff9757ce1874b809680beff20a190dcf40530a95e4baa7327124ba8ce507a059e631867d75204fa91

Download Submit
C:\Windows\System32\wbem\wmitimep\unsecapp.exe

Filesize
1.1MB

MD5
73d6911ed247a840f2f372a605a99407

SHA1
595953dd65ceb6ce48af99d0e4533ac711681733

SHA256
e1dacd883b37c7e481b4fc643b5628e061155f7c4f37874907ac2c8a5e66d7c0

SHA512
ba7b325ca5ff67273ebe485904d7981f8d70b3b2e9647c2f702bb0e6f3058faf35d4fab1351deaadf8fb126517595766d7039ee56b97c21fff36a43026696544

Download Submit
memory/820-237-0x000000001B090000-0x000000001B0A2000-memory.dmp

Filesize
72KB

Download
memory/1524-260-0x00000000011B0000-0x00000000011C2000-memory.dmp

Filesize
72KB

Download
memory/1700-11-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/1700-95-0x00007FFF93EE0000-0x00007FFF949A1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-24-0x00007FFF93EE0000-0x00007FFF949A1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-21-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/1700-20-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/1700-18-0x000000001BF00000-0x000000001BF08000-memory.dmp

Filesize
32KB

Download
memory/1700-17-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/1700-16-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

Filesize
32KB

Download
memory/1700-15-0x000000001B8C0000-0x000000001B8CA000-memory.dmp

Filesize
40KB

Download
memory/1700-14-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

Filesize
48KB

Download
memory/1700-13-0x0000000002DB0000-0x0000000002DBA000-memory.dmp

Filesize
40KB

Download
memory/1700-12-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

Filesize
32KB

Download
memory/1700-1-0x0000000000AF0000-0x0000000000C04000-memory.dmp

Filesize
1.1MB

Download
memory/1700-25-0x00007FFF93EE0000-0x00007FFF949A1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-2-0x00007FFF93EE0000-0x00007FFF949A1000-memory.dmp

Filesize
10.8MB

Download
memory/1700-0-0x00007FFF93EE3000-0x00007FFF93EE5000-memory.dmp

Filesize
8KB

Download
memory/1700-4-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/1700-9-0x0000000002D70000-0x0000000002D7C000-memory.dmp

Filesize
48KB

Download
memory/1700-8-0x0000000002D60000-0x0000000002D68000-memory.dmp

Filesize
32KB

Download
memory/1700-10-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/1700-7-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/1700-6-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/1700-3-0x0000000001460000-0x0000000001468000-memory.dmp

Filesize
32KB

Download
memory/1700-5-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/3120-101-0x0000027E3FA60000-0x0000027E3FA82000-memory.dmp

Filesize
136KB

Download
memory/3320-283-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/4100-354-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/4936-213-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/5256-225-0x0000000001420000-0x0000000001432000-memory.dmp

Filesize
72KB

Download