dcrat | 54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece

Analysis

max time kernel
151s
max time network
127s
platform
windows10_x64
resource
win10v20210408
submitted
18-08-2021 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a31d76_LlMk5PvSaq.exe
Size

1.4MB
MD5

04a31d7675a4858c9c1ddb7c818782d5
SHA1

991b6bd9ed58869e8e408158b99a050791e15f17
SHA256

54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece
SHA512

2fac1ab544a88b0476e474d0990ab24fa5a678f0ae983aca1666910774d85a0b5dcc2040ef5fff21a25ef04d57fdc35de34af28d24c73af8b66c163b890b5d97

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 39 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3848	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3848	schtasks.exe

DCRat Payload 34 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\lsass.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\sppsvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\taskhostw.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\lsass.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\dllhost.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\taskhostw.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\csrss.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat

Executes dropped EXE 39 IoCs

Processes:

pid	process
2132	driverSavesPerfsvcCrtNetSvc.exe
3232	driverSavesPerfsvcCrtNetSvc.exe
3984	driverSavesPerfsvcCrtNetSvc.exe
964	driverSavesPerfsvcCrtNetSvc.exe
3588	driverSavesPerfsvcCrtNetSvc.exe
3580	driverSavesPerfsvcCrtNetSvc.exe
892	driverSavesPerfsvcCrtNetSvc.exe
3356	driverSavesPerfsvcCrtNetSvc.exe
2284	driverSavesPerfsvcCrtNetSvc.exe
3604	driverSavesPerfsvcCrtNetSvc.exe
2728	driverSavesPerfsvcCrtNetSvc.exe
3956	driverSavesPerfsvcCrtNetSvc.exe
2628	driverSavesPerfsvcCrtNetSvc.exe
4064	driverSavesPerfsvcCrtNetSvc.exe
840	driverSavesPerfsvcCrtNetSvc.exe
3768	driverSavesPerfsvcCrtNetSvc.exe
2388	driverSavesPerfsvcCrtNetSvc.exe
1820	driverSavesPerfsvcCrtNetSvc.exe
3288	driverSavesPerfsvcCrtNetSvc.exe
4000	driverSavesPerfsvcCrtNetSvc.exe
2364	driverSavesPerfsvcCrtNetSvc.exe
836	driverSavesPerfsvcCrtNetSvc.exe
3908	driverSavesPerfsvcCrtNetSvc.exe
2112	driverSavesPerfsvcCrtNetSvc.exe
3588	driverSavesPerfsvcCrtNetSvc.exe
2020	driverSavesPerfsvcCrtNetSvc.exe
3596	driverSavesPerfsvcCrtNetSvc.exe
2388	driverSavesPerfsvcCrtNetSvc.exe
4056	driverSavesPerfsvcCrtNetSvc.exe
2308	driverSavesPerfsvcCrtNetSvc.exe
2696	driverSavesPerfsvcCrtNetSvc.exe
784	driverSavesPerfsvcCrtNetSvc.exe
796	driverSavesPerfsvcCrtNetSvc.exe
3596	driverSavesPerfsvcCrtNetSvc.exe
3868	driverSavesPerfsvcCrtNetSvc.exe
3148	driverSavesPerfsvcCrtNetSvc.exe
1324	driverSavesPerfsvcCrtNetSvc.exe
196	driverSavesPerfsvcCrtNetSvc.exe
408	driverSavesPerfsvcCrtNetSvc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:/Users/Admin/AppData/Local/\\System.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:/Users/Admin/AppData/Local/\\powershell.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\driverSavesPerfsvcCrtNetSvc = "\"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\driverSavesPerfsvcCrtNetSvc = "\"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:/Users/Admin/AppData/Local/\\powershell.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:/Users/Admin/AppData/Local/\\System.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
784	schtasks.exe
2708	schtasks.exe
1032	schtasks.exe
188	schtasks.exe
188	schtasks.exe
1036	schtasks.exe
784	schtasks.exe
928	schtasks.exe
4020	schtasks.exe
3736	schtasks.exe
2824	schtasks.exe
4064	schtasks.exe
2728	schtasks.exe
3164	schtasks.exe
1164	schtasks.exe
1164	schtasks.exe
1716	schtasks.exe
664	schtasks.exe
3756	schtasks.exe
3944	schtasks.exe
3600	schtasks.exe
1328	schtasks.exe
1792	schtasks.exe
3036	schtasks.exe
2484	schtasks.exe
744	schtasks.exe
628	schtasks.exe
2116	schtasks.exe
3164	schtasks.exe
2180	schtasks.exe
3036	schtasks.exe
420	schtasks.exe
508	schtasks.exe
4016	schtasks.exe
3036	schtasks.exe
2712	schtasks.exe
1912	schtasks.exe
3884	schtasks.exe
2288	schtasks.exe

Modifies registry class 15 IoCs

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe04a31d76_LlMk5PvSaq.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	04a31d76_LlMk5PvSaq.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	driverSavesPerfsvcCrtNetSvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

pid	process
196	powershell.exe
196	powershell.exe
2132	driverSavesPerfsvcCrtNetSvc.exe
196	powershell.exe
3232	driverSavesPerfsvcCrtNetSvc.exe
3984	driverSavesPerfsvcCrtNetSvc.exe
964	driverSavesPerfsvcCrtNetSvc.exe
3588	driverSavesPerfsvcCrtNetSvc.exe
3580	driverSavesPerfsvcCrtNetSvc.exe
892	driverSavesPerfsvcCrtNetSvc.exe
3356	driverSavesPerfsvcCrtNetSvc.exe
2284	driverSavesPerfsvcCrtNetSvc.exe
3604	driverSavesPerfsvcCrtNetSvc.exe
2728	driverSavesPerfsvcCrtNetSvc.exe
3956	driverSavesPerfsvcCrtNetSvc.exe
2628	driverSavesPerfsvcCrtNetSvc.exe
4064	driverSavesPerfsvcCrtNetSvc.exe
840	driverSavesPerfsvcCrtNetSvc.exe
3768	driverSavesPerfsvcCrtNetSvc.exe
2388	driverSavesPerfsvcCrtNetSvc.exe
1820	driverSavesPerfsvcCrtNetSvc.exe
3288	driverSavesPerfsvcCrtNetSvc.exe
4000	driverSavesPerfsvcCrtNetSvc.exe
2364	driverSavesPerfsvcCrtNetSvc.exe
836	driverSavesPerfsvcCrtNetSvc.exe
3908	driverSavesPerfsvcCrtNetSvc.exe
2112	driverSavesPerfsvcCrtNetSvc.exe
3588	driverSavesPerfsvcCrtNetSvc.exe
2020	driverSavesPerfsvcCrtNetSvc.exe
3596	driverSavesPerfsvcCrtNetSvc.exe
2388	driverSavesPerfsvcCrtNetSvc.exe
4056	driverSavesPerfsvcCrtNetSvc.exe
2308	driverSavesPerfsvcCrtNetSvc.exe
2696	driverSavesPerfsvcCrtNetSvc.exe
784	driverSavesPerfsvcCrtNetSvc.exe
796	driverSavesPerfsvcCrtNetSvc.exe
3596	driverSavesPerfsvcCrtNetSvc.exe
3868	driverSavesPerfsvcCrtNetSvc.exe
3148	driverSavesPerfsvcCrtNetSvc.exe
1324	driverSavesPerfsvcCrtNetSvc.exe
196	driverSavesPerfsvcCrtNetSvc.exe
408	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	2132	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3232	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3984	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	964	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3588	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3580	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	892	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3356	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2284	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3604	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2728	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3956	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2628	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4064	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	840	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3768	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2388	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	1820	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3288	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4000	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2364	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	836	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3908	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2112	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3588	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2020	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3596	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2388	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	4056	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2308	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2696	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	784	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	796	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3596	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3868	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	3148	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	1324	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	196	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	408	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04a31d76_LlMk5PvSaq.execmd.exeWScript.execmd.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	pid	process	target process
PID 664 wrote to memory of 3980	664	04a31d76_LlMk5PvSaq.exe	WScript.exe
PID 664 wrote to memory of 3980	664	04a31d76_LlMk5PvSaq.exe	WScript.exe
PID 664 wrote to memory of 3980	664	04a31d76_LlMk5PvSaq.exe	WScript.exe
PID 664 wrote to memory of 2012	664	04a31d76_LlMk5PvSaq.exe	cmd.exe
PID 664 wrote to memory of 2012	664	04a31d76_LlMk5PvSaq.exe	cmd.exe
PID 664 wrote to memory of 2012	664	04a31d76_LlMk5PvSaq.exe	cmd.exe
PID 2012 wrote to memory of 196	2012	cmd.exe	powershell.exe
PID 2012 wrote to memory of 196	2012	cmd.exe	powershell.exe
PID 2012 wrote to memory of 196	2012	cmd.exe	powershell.exe
PID 3980 wrote to memory of 3292	3980	WScript.exe	cmd.exe
PID 3980 wrote to memory of 3292	3980	WScript.exe	cmd.exe
PID 3980 wrote to memory of 3292	3980	WScript.exe	cmd.exe
PID 3292 wrote to memory of 2132	3292	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3292 wrote to memory of 2132	3292	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2132 wrote to memory of 3232	2132	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2132 wrote to memory of 3232	2132	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3232 wrote to memory of 3984	3232	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3232 wrote to memory of 3984	3232	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3984 wrote to memory of 964	3984	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3984 wrote to memory of 964	3984	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 964 wrote to memory of 3380	964	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 964 wrote to memory of 3380	964	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3380 wrote to memory of 3944	3380	cmd.exe	chcp.com
PID 3380 wrote to memory of 3944	3380	cmd.exe	chcp.com
PID 3380 wrote to memory of 3696	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 3696	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 3588	3380	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3380 wrote to memory of 3588	3380	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3588 wrote to memory of 992	3588	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3588 wrote to memory of 992	3588	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 992 wrote to memory of 3736	992	cmd.exe	chcp.com
PID 992 wrote to memory of 3736	992	cmd.exe	chcp.com
PID 992 wrote to memory of 364	992	cmd.exe	w32tm.exe
PID 992 wrote to memory of 364	992	cmd.exe	w32tm.exe
PID 992 wrote to memory of 3580	992	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 992 wrote to memory of 3580	992	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3580 wrote to memory of 892	3580	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3580 wrote to memory of 892	3580	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 892 wrote to memory of 3356	892	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 892 wrote to memory of 3356	892	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3356 wrote to memory of 2284	3356	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3356 wrote to memory of 2284	3356	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2284 wrote to memory of 2868	2284	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2284 wrote to memory of 2868	2284	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2868 wrote to memory of 2712	2868	cmd.exe	chcp.com
PID 2868 wrote to memory of 2712	2868	cmd.exe	chcp.com
PID 2868 wrote to memory of 3908	2868	cmd.exe	w32tm.exe
PID 2868 wrote to memory of 3908	2868	cmd.exe	w32tm.exe
PID 2868 wrote to memory of 3604	2868	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2868 wrote to memory of 3604	2868	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3604 wrote to memory of 4048	3604	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 3604 wrote to memory of 4048	3604	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 4048 wrote to memory of 2884	4048	cmd.exe	chcp.com
PID 4048 wrote to memory of 2884	4048	cmd.exe	chcp.com
PID 4048 wrote to memory of 1040	4048	cmd.exe	w32tm.exe
PID 4048 wrote to memory of 1040	4048	cmd.exe	w32tm.exe
PID 4048 wrote to memory of 2728	4048	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 4048 wrote to memory of 2728	4048	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2728 wrote to memory of 3956	2728	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2728 wrote to memory of 3956	2728	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3956 wrote to memory of 2628	3956	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 3956 wrote to memory of 2628	3956	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2628 wrote to memory of 712	2628	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2628 wrote to memory of 712	2628	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\04a31d76_LlMk5PvSaq.exe
"C:\Users\Admin\AppData\Local\Temp\04a31d76_LlMk5PvSaq.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driverSaves\LHhDtlPF.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\driverSaves\elBs4FCCK.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Ho6YoOEYZ.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:3944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:3696

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igLbNNRcqj.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:3736

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:364

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QP7M8Y3sQh.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2712

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:3908

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RYpw9aUEO7.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2884

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:1040

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CcE7N1YuvF.bat"
21⤵
PID:712

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:3292

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:2080

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3xelKm6vuZ.bat"
25⤵
PID:2540

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:3372

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:2224

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqFuDy9ss7.bat"
30⤵
PID:3884

C:\Windows\system32\chcp.com
chcp 65001
31⤵
PID:1200

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
31⤵
PID:4080

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
31⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KzrRZZneu0.bat"
32⤵
PID:3372

C:\Windows\system32\chcp.com
chcp 65001
33⤵
PID:3340

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
33⤵
PID:2304

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
33⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3xelKm6vuZ.bat"
35⤵
PID:688

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:3840

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
36⤵
PID:1776

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
37⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\63o40OZ35H.bat"
39⤵
PID:2328

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:1484

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
40⤵
PID:2192

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
41⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9KZIw6DECS.bat"
43⤵
PID:3164

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:4064

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
44⤵
PID:1704

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
45⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
47⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zFbXcCSeDz.bat"
48⤵
PID:1148

C:\Windows\system32\chcp.com
chcp 65001
49⤵
PID:1304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
49⤵
PID:3380

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
49⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xgel2999bK.bat"
52⤵
PID:2112

C:\Windows\system32\chcp.com
chcp 65001
53⤵
PID:1164

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
53⤵
PID:1336

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
53⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
55⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TjQW6qUqV8.bat"
56⤵
PID:2200

C:\Windows\system32\chcp.com
chcp 65001
57⤵
PID:1328

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
57⤵
PID:508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\driverSaves\mKLt1agSNSLByUmKEYd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverSavesPerfsvcCrtNetSvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\driverSavesPerfsvcCrtNetSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c
MD5
92078f6359bd88e9fdccef0cc44f9d2b

SHA1
61a4fac2b91312f35396f382ca3dae56695f4ba0

SHA256
447bb857f6e93f5c71ba5797769cae8412fbf01f35e3af57327199be9982b458

SHA512
4d6458266751120d7b00cb69d76f80d5a506fe66052653b55893a1876df15091491b34be289801a710057cc491153aa21a868d566e0e593dc1c80bdd1a1da040

Download Submit
C:\Users\Admin\AppData\Local\5940a34987c99120d96dace90a3f93f329dcad63
MD5
fd0b3aeb22b01bd963e9309127324f82

SHA1
1df14b3aa463c3003fc42c813796a1376672de20

SHA256
260f263f5fc4c08cfea2a81597b60bf6cfaca5dd31b1eb4579a5bbe0b445ad75

SHA512
efd68e29ef9c0eb5503f0c06b189ba857c8df66213343b096a6e3a9e406b1b268a5a183e78f94b3a26d98cacecc0f14c2ac6efc97a1469f9f414f40530c2954b

Download Submit
C:\Users\Admin\AppData\Local\5940a34987c99120d96dace90a3f93f329dcad63
MD5
fd0b3aeb22b01bd963e9309127324f82

SHA1
1df14b3aa463c3003fc42c813796a1376672de20

SHA256
260f263f5fc4c08cfea2a81597b60bf6cfaca5dd31b1eb4579a5bbe0b445ad75

SHA512
efd68e29ef9c0eb5503f0c06b189ba857c8df66213343b096a6e3a9e406b1b268a5a183e78f94b3a26d98cacecc0f14c2ac6efc97a1469f9f414f40530c2954b

Download Submit
C:\Users\Admin\AppData\Local\5940a34987c99120d96dace90a3f93f329dcad63
MD5
fea6dbb4486230cd5a798b1b0be5cb5a

SHA1
2fb8e46470d9ee832b59dcee3f7ed29f77c7f570

SHA256
901905c505244a1500ecbee975854806517b50e5266756586f9d051d7924fbbe

SHA512
af2045f4352b721a2dc04b8e38743fd6503018476b77b8aac42a5f8234cc89244dd3e14a15e0eb11d6d33375daedc4912b2bb8ad93fd07e2bfc1cd595de5d3d6

Download Submit
C:\Users\Admin\AppData\Local\5b884080fd4f94e2695da25c503f9e33b9605b83
MD5
7ca46fa0f71bde363a9348789dc2d72b

SHA1
3dc7e348fa118fd3d09f44a29829aaa780783062

SHA256
15e2d7f5cd22a319265a98a12d51e393e54fe4eeb19bb05728153eb017e014c7

SHA512
48972c292825202a45b00524f70f80907e661f733366853c4fbb3e4c1498e7c6f12ae79078475a6e6b7221e16596dc2d95141187026cca92c637bba6b3d30b31

Download Submit
C:\Users\Admin\AppData\Local\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9
MD5
4d62e886a9d61e8acf0b1a4380cdd002

SHA1
1891234aea5cc8a5881df6564ba08e1da4cf9eb7

SHA256
a4feee3599add0076fa70e29b0cf180add09f43e7f26ea9d2e02644cb25a8ce3

SHA512
a61657acf39cfceb6ecc357c9fff2698808ea7287d969943cc49bce4effef4d53bbad1852e4c34dda8d09c03588c1c9cad21f99d98c9e1a134d89832149b85ed

Download Submit
C:\Users\Admin\AppData\Local\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9
MD5
2b8583c1952d3e3f483b2baa22fd5c0d

SHA1
55f8173ee4871c0e328543adcedae63264ed4ade

SHA256
e24ff67a95b0b7d54f495c9bf7eae0354f4ff83b068f2feadb1d333ec298d517

SHA512
453757bd0b370392feb081e39e16dadd1c7e3956905a54f53fe8bf4845d983f5aa204526cc4a4582f503911e87866628097aab71f855c11f965d453e99a9f5d9

Download Submit
C:\Users\Admin\AppData\Local\886983d96e3d3e31032c679b2d4ea91b6c05afef
MD5
16d754c7c65323173dc70c265d42ea6d

SHA1
7495dd62fa842835d4d55a4f582f2bbf883e1a11

SHA256
e998b1f081db8ca3fe5bad7af5a12bebef371cdf138a2bba3763a0cef447eedd

SHA512
808201676845b7d98c24a1bf8591f0d8e7cc408b4746b0b2031837608d11326b8161cdffcbd64d61e2e20b8184ae4c9dca54d2f0684beaa15790d4abd6b80284

Download Submit
C:\Users\Admin\AppData\Local\886983d96e3d3e31032c679b2d4ea91b6c05afef
MD5
327519ffbe7f236531378aa3cb32976f

SHA1
f97a9e4d1696f148ea7022041dd0673f9bdbc4e7

SHA256
4b2db27efd981d523c06d8c43b79b1d9a275e969e5334d917109939c831add99

SHA512
0b6fb43f455426aa1e56a25335718d06eb0e5103f5a86703fca7b28cfabbf680c2db09d2b1f9c31cc83295ffb3b34a5e77aa8d3e2cfaf8531849b671c8917f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverSavesPerfsvcCrtNetSvc.exe.log
MD5
4a1ed3846791b69d7fa47b440e9e0c89

SHA1
426942cf26fbc0a96bdc525a6a625726471abaca

SHA256
cd4a447c7269df5cced4fa6a981c156f51b652d3026e4008027d6092b76ba7a5

SHA512
52341fafc8510e04546fcaf3dedc720d73bf88e217217ddc8b2c5dd9f74e8f6a233793bc63e4ee970da8872371560331dae56479af2d4afdb5f8597fdf3e5dfd

Download Submit
C:\Users\Admin\AppData\Local\ShellExperienceHost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xelKm6vuZ.bat
MD5
6482542386dd20553cd5ccef61ca9426

SHA1
0502d14c2ea02eaae5955183e195bae74b0502f3

SHA256
97711558241516d809e3c2e1aff4eb2c2d724e72bbea4844bd32d376e3e06846

SHA512
7ec18ac2d568251b1e71334f2a7f2fa2c54d1e07a7c48d702bd110f8124e3dab04f26932ccacbeb94afd61e546ca8cabf13c97bb1edc0e4162b8eb6e5c83cd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\3xelKm6vuZ.bat
MD5
6482542386dd20553cd5ccef61ca9426

SHA1
0502d14c2ea02eaae5955183e195bae74b0502f3

SHA256
97711558241516d809e3c2e1aff4eb2c2d724e72bbea4844bd32d376e3e06846

SHA512
7ec18ac2d568251b1e71334f2a7f2fa2c54d1e07a7c48d702bd110f8124e3dab04f26932ccacbeb94afd61e546ca8cabf13c97bb1edc0e4162b8eb6e5c83cd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Ho6YoOEYZ.bat
MD5
2ea849765da5f13a996eeeb4f32f8073

SHA1
edc2d94817e46e29b7dc9e376e4d4545fbe800c5

SHA256
9fb4eb294bb7b4ade93d4870180979fbe4b44739d687c0043977b0c82204c6b4

SHA512
fb03cc403cbd6148a2fd54349e20a2aa9efeae2d69ac4e6ce66dd5141a446f852a48dc1915ec84fd8ba286a6d5133870443c3a5294165d6da76e46139fb659b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcE7N1YuvF.bat
MD5
10f33c766f177b3ac3240a3de070156b

SHA1
47218d29b38c6b64d8029c412bd4d59998db2674

SHA256
99be92d3f3d41ca6f309e28818bd8f04244b8dc14e5c4ec976d58546dd239f09

SHA512
76801492396120b7628b3d49e9d84517f816df9d3215482217a2579fb45fa2832e9924d16ca8da4aa88190dcd5cb2ed5b6bea8cecbd464b275a655bf62bd0820

Download Submit
C:\Users\Admin\AppData\Local\Temp\KzrRZZneu0.bat
MD5
881508eb2826f6d13c4e3b585e75fa8b

SHA1
9bad0f719e69f1ad0560c693795b0a980c9522e9

SHA256
c4928bc3332c76dfee399c2abe6a2c147cd3d86dc56524b41ae29fd5ca9913f3

SHA512
bf8a8c9a1f1b73d498efc222cd63ad068831b79ed2477b73ffdf95a467ecb708c36462d07937cd126521046b99c9d4227f047e40b2f0735169a8cc5aac0d7233

Download Submit
C:\Users\Admin\AppData\Local\Temp\QP7M8Y3sQh.bat
MD5
46be31eaafa18aecd138126563c1fd35

SHA1
b112efa6f6af33e2f0f477aed0f64de757248426

SHA256
2ab9d65a610acf10f4825bca7475ee87ab8a2695bef21478bdaf09d44c234f8b

SHA512
30e60406b8bf0248d07fd708f5835cfe05460e8246115995a860f0737046d7a0f754876845092b064226696cb52853c3bbbd2c12b216e450466e1be4d8ccc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqFuDy9ss7.bat
MD5
af476f19acf88d751aa658276f2178ec

SHA1
2832ebb40b148f4bd4f74eca719a6ad02d8e653b

SHA256
44b3ff056cc1c9a756ca75d9949b5848d240e9cf24b7e5915053f963777f3ec3

SHA512
3ee7541bfeb7b52f77f94420912c3f7f1ada86c4ad88977298bcab2995317d668958a42a60603be04eb204fa90d8cd6634189207552ae170aa26bc8df989f25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYpw9aUEO7.bat
MD5
b4ccd6af5075073c9a65f18398bd08e8

SHA1
a412815ae6c7068bf495c626f3111424484d0613

SHA256
9e49bf33b935c9e079d6641d09b6767d48d457a0cfec2bc32650c40229c65ac3

SHA512
d4ffecb19ea04a6077f7844cd18a939bb31c43536bdfcd645ebc7ab02ec3079fd4e6f4affb647991c625cd4fa84f5fcc093155a9a3986d73dbc79b6044a755e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\igLbNNRcqj.bat
MD5
452e4084a0fd4f59cc1abe5b5a47cb6b

SHA1
03ff90e042b47ec479e6219192b7fc1dc636c361

SHA256
5e5dc2a6f165e610d4f57037607cab3b928a24f68f09c618ea547f03eb9c698b

SHA512
6327ca85b721403b42a1661767f4c0d2e856ccd433235624d11ee8a2ca0d7e5f47f804a753d9dd793c24ab48ba809b69f6ac5ed6aace1bf284a7b08ef31fc24b

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988
MD5
a15f7d939e401a3b64c32d8a029517dc

SHA1
fa5e185b24dbcfa7faae03036c7e66c9deac4900

SHA256
9883715ef043e0e408e1bf30b809222d0328655c3e0d62686a890c5eb538052a

SHA512
f007a33539d4a54576735dc271712aee276ac8e4455473fde55cb8c951ba35bd070408e381eeb642dc1c4829b847ce3af4e94422739558fb62d4c8612926379d

Download Submit
C:\Users\Admin\AppData\Local\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988
MD5
a15f7d939e401a3b64c32d8a029517dc

SHA1
fa5e185b24dbcfa7faae03036c7e66c9deac4900

SHA256
9883715ef043e0e408e1bf30b809222d0328655c3e0d62686a890c5eb538052a

SHA512
f007a33539d4a54576735dc271712aee276ac8e4455473fde55cb8c951ba35bd070408e381eeb642dc1c4829b847ce3af4e94422739558fb62d4c8612926379d

Download Submit
C:\Users\Admin\AppData\Local\f8c8f1285d826bc63910aaf97db97186ba642b4f
MD5
a8386b1256923ea02e6d34034dae6b73

SHA1
f8359dbbe12abb4fa9ca8289598a82623091e207

SHA256
e7fc5e4f5290f66f0aad98d3e2dfc4c1a37fb767cc60218c2ed29f4bb1deb598

SHA512
2a345dfb097421ac2c8c57b560ce02130c7ba2d62d59190290efdb5b92d85e6a5a341769b50f6b17b05c46f726607a7ed85769f8bc392088b60cf57d8ef9717c

Download Submit
C:\Users\Admin\AppData\Local\fontdrvhost.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\sppsvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\taskhostw.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\Users\Admin\AppData\Local\taskhostw.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\LHhDtlPF.vbe
MD5
d54777130b957cce5fd98b014f22692b

SHA1
d4b1c5213c32b5d50535f5532a68fce906cd34a6

SHA256
b23e310e937017998d80569f06c4c2de1098bb8a313167332036ec4f77d75957

SHA512
0193afdbf04ae421a44133c41576e0bf719e9ea2c3044d7f75c0dc59bbe9565c04ebe942ccf5f4fea123b4073c51a51b8319b3b85ae5b683e38ae51e14f25232

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\elBs4FCCK.bat
MD5
0407b07db5462f371d0d7f737ebf973a

SHA1
11dd83edf63febdf2ea0935e8e7b2519a610738b

SHA256
7b0b55005ae6b1a19be753db6670fc86088a6618888eb7780566ff0ce122a8ec

SHA512
ef5cbed89e0b72627a2345b6a0a0aa7690b4e9991816794e50b6125d78a1e2e9d6268216ae14397d14cb67f9c78ef1ef0c5ad2913f1d7b3d57a125f872267474

Download Submit
C:\driverSaves\mKLt1agSNSLByUmKEYd.bat
MD5
6c33c4c06022c7bbafc1d01caedd0abe

SHA1
3f6e17989ce3a09d183adc2380c659525a67ca0a

SHA256
f78fccb7e0e0d6b89508758a739041ff31526ead74167d22f2aa754db19f6dfc

SHA512
e1f0a27d5c459bdf865612a513d62bd0d6ef7ba649c7f4fac003e6d684cad6e3469b532c0e8689589bdb8ccc0b3d7442f875e97cfec9105481b6b5733f8137b0

Download Submit
memory/196-140-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/196-128-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/196-183-0x0000000006D53000-0x0000000006D54000-memory.dmp

Filesize
4KB

Download
memory/196-188-0x0000000009570000-0x0000000009571000-memory.dmp

Filesize
4KB

Download
memory/196-141-0x0000000008340000-0x0000000008341000-memory.dmp

Filesize
4KB

Download
memory/196-120-0x0000000000000000-mapping.dmp

Download
memory/196-407-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/196-606-0x00000000010D0000-0x00000000010D2000-memory.dmp

Filesize
8KB

Download
memory/196-400-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/196-130-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/196-169-0x0000000009010000-0x0000000009043000-memory.dmp

Filesize
204KB

Download
memory/196-129-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/196-123-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/196-139-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/196-127-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/196-176-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/196-181-0x0000000009420000-0x0000000009421000-memory.dmp

Filesize
4KB

Download
memory/196-126-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/196-124-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/196-125-0x0000000006D52000-0x0000000006D53000-memory.dmp

Filesize
4KB

Download
memory/196-182-0x000000007EC90000-0x000000007EC91000-memory.dmp

Filesize
4KB

Download
memory/364-195-0x0000000000000000-mapping.dmp

Download
memory/408-609-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/688-539-0x0000000000000000-mapping.dmp

Download
memory/712-457-0x0000000000000000-mapping.dmp

Download
memory/784-588-0x000000001B750000-0x000000001B752000-memory.dmp

Filesize
8KB

Download
memory/796-591-0x000000001B910000-0x000000001B912000-memory.dmp

Filesize
8KB

Download
memory/836-525-0x0000000000000000-mapping.dmp

Download
memory/836-529-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/840-472-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/840-468-0x0000000000000000-mapping.dmp

Download
memory/892-379-0x000000001B070000-0x000000001B072000-memory.dmp

Filesize
8KB

Download
memory/892-373-0x0000000000000000-mapping.dmp

Download
memory/964-159-0x000000001B160000-0x000000001B162000-memory.dmp

Filesize
8KB

Download
memory/964-155-0x0000000000000000-mapping.dmp

Download
memory/992-190-0x0000000000000000-mapping.dmp

Download
memory/1040-439-0x0000000000000000-mapping.dmp

Download
memory/1200-514-0x0000000000000000-mapping.dmp

Download
memory/1324-603-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/1484-565-0x0000000000000000-mapping.dmp

Download
memory/1776-542-0x0000000000000000-mapping.dmp

Download
memory/1820-497-0x0000000001730000-0x0000000001732000-memory.dmp

Filesize
8KB

Download
memory/1820-493-0x0000000000000000-mapping.dmp

Download
memory/2012-118-0x0000000000000000-mapping.dmp

Download
memory/2020-561-0x000000001BB80000-0x000000001BB82000-memory.dmp

Filesize
8KB

Download
memory/2020-556-0x0000000000000000-mapping.dmp

Download
memory/2080-460-0x0000000000000000-mapping.dmp

Download
memory/2112-543-0x0000000000000000-mapping.dmp

Download
memory/2112-547-0x000000001B020000-0x000000001B022000-memory.dmp

Filesize
8KB

Download
memory/2132-133-0x0000000000000000-mapping.dmp

Download
memory/2132-138-0x000000001BC20000-0x000000001BC22000-memory.dmp

Filesize
8KB

Download
memory/2132-136-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2192-566-0x0000000000000000-mapping.dmp

Download
memory/2224-485-0x0000000000000000-mapping.dmp

Download
memory/2284-421-0x000000001B400000-0x000000001B402000-memory.dmp

Filesize
8KB

Download
memory/2284-417-0x0000000000000000-mapping.dmp

Download
memory/2304-524-0x0000000000000000-mapping.dmp

Download
memory/2308-582-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download
memory/2328-564-0x0000000000000000-mapping.dmp

Download
memory/2364-516-0x0000000000000000-mapping.dmp

Download
memory/2364-520-0x000000001AD00000-0x000000001AD02000-memory.dmp

Filesize
8KB

Download
memory/2388-571-0x0000000000000000-mapping.dmp

Download
memory/2388-490-0x0000000002A50000-0x0000000002A52000-memory.dmp

Filesize
8KB

Download
memory/2388-486-0x0000000000000000-mapping.dmp

Download
memory/2388-574-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2540-482-0x0000000000000000-mapping.dmp

Download
memory/2628-456-0x000000001B2D0000-0x000000001B2D2000-memory.dmp

Filesize
8KB

Download
memory/2628-452-0x0000000000000000-mapping.dmp

Download
memory/2696-585-0x000000001AFD0000-0x000000001AFD2000-memory.dmp

Filesize
8KB

Download
memory/2712-424-0x0000000000000000-mapping.dmp

Download
memory/2728-444-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

Filesize
8KB

Download
memory/2728-440-0x0000000000000000-mapping.dmp

Download
memory/2868-422-0x0000000000000000-mapping.dmp

Download
memory/2884-438-0x0000000000000000-mapping.dmp

Download
memory/3148-600-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

Filesize
8KB

Download
memory/3164-579-0x0000000000000000-mapping.dmp

Download
memory/3232-142-0x0000000000000000-mapping.dmp

Download
memory/3232-147-0x000000001BB90000-0x000000001BB92000-memory.dmp

Filesize
8KB

Download
memory/3288-504-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/3288-500-0x0000000000000000-mapping.dmp

Download
memory/3292-459-0x0000000000000000-mapping.dmp

Download
memory/3292-132-0x0000000000000000-mapping.dmp

Download
memory/3340-523-0x0000000000000000-mapping.dmp

Download
memory/3356-380-0x0000000000000000-mapping.dmp

Download
memory/3356-406-0x0000000001740000-0x0000000001742000-memory.dmp

Filesize
8KB

Download
memory/3372-484-0x0000000000000000-mapping.dmp

Download
memory/3372-521-0x0000000000000000-mapping.dmp

Download
memory/3380-160-0x0000000000000000-mapping.dmp

Download
memory/3580-320-0x0000000001770000-0x0000000001772000-memory.dmp

Filesize
8KB

Download
memory/3580-264-0x0000000000000000-mapping.dmp

Download
memory/3588-184-0x0000000000000000-mapping.dmp

Download
memory/3588-550-0x0000000000000000-mapping.dmp

Download
memory/3588-189-0x000000001B800000-0x000000001B802000-memory.dmp

Filesize
8KB

Download
memory/3588-560-0x0000000001570000-0x0000000001572000-memory.dmp

Filesize
8KB

Download
memory/3596-570-0x000000001B970000-0x000000001B972000-memory.dmp

Filesize
8KB

Download
memory/3596-567-0x0000000000000000-mapping.dmp

Download
memory/3596-594-0x000000001B620000-0x000000001B622000-memory.dmp

Filesize
8KB

Download
memory/3604-435-0x000000001B3D0000-0x000000001B3D2000-memory.dmp

Filesize
8KB

Download
memory/3604-431-0x0000000000000000-mapping.dmp

Download
memory/3696-163-0x0000000000000000-mapping.dmp

Download
memory/3736-194-0x0000000000000000-mapping.dmp

Download
memory/3768-475-0x0000000000000000-mapping.dmp

Download
memory/3768-479-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/3840-541-0x0000000000000000-mapping.dmp

Download
memory/3868-597-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/3884-512-0x0000000000000000-mapping.dmp

Download
memory/3908-425-0x0000000000000000-mapping.dmp

Download
memory/3908-538-0x0000000001460000-0x0000000001462000-memory.dmp

Filesize
8KB

Download
memory/3908-532-0x0000000000000000-mapping.dmp

Download
memory/3944-162-0x0000000000000000-mapping.dmp

Download
memory/3956-449-0x000000001B950000-0x000000001B952000-memory.dmp

Filesize
8KB

Download
memory/3956-445-0x0000000000000000-mapping.dmp

Download
memory/3980-116-0x0000000000000000-mapping.dmp

Download
memory/3984-152-0x000000001B8D0000-0x000000001B8D2000-memory.dmp

Filesize
8KB

Download
memory/3984-148-0x0000000000000000-mapping.dmp

Download
memory/4000-507-0x0000000000000000-mapping.dmp

Download
memory/4000-511-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/4048-436-0x0000000000000000-mapping.dmp

Download
memory/4056-578-0x0000000001640000-0x0000000001642000-memory.dmp

Filesize
8KB

Download
memory/4056-575-0x0000000000000000-mapping.dmp

Download
memory/4064-465-0x000000001B310000-0x000000001B312000-memory.dmp

Filesize
8KB

Download
memory/4064-461-0x0000000000000000-mapping.dmp

Download
memory/4080-515-0x0000000000000000-mapping.dmp

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\winlogon.exe\", \"C:/Users/Admin/AppData/Local/\\powershell.exe\", \"C:/Users/Admin/AppData/Local/\\driverSavesPerfsvcCrtNetSvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\lsass.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\", \"C:/Users/Admin/AppData/Local/\\wininit.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\taskhostw.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\dllhost.exe\", \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\", \"C:/Users/Admin/AppData/Local/\\ShellExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\System.exe\", \"C:/Users/Admin/AppData/Local/\\sppsvc.exe\", \"C:/Users/Admin/AppData/Local/\\fontdrvhost.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads