quasar | f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

Analysis

max time kernel
162s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
Size

1.1MB
MD5

7a573e252438c649424b65ea23fece59
SHA1

e045ff31b02629170f6dd025a21b674796f056ca
SHA256

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9
SHA512

c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Score

10^/10

quasar venomrat office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

dopeillusions.hopto.org:1604

Mutex

VNM_MUTEX_YRuhcILkPkG4OKlC9H

Attributes

encryption_key
3wCBrbJytB9zaYeo3PZe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2228-156-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2228-156-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exeClient.exesvchost.exeClient.exe

pid	Process
2308	svchost.exe
2228	svchost.exe
1328	Client.exe
2328	svchost.exe
4448	Client.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exef9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exesvchost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	svchost.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Local\\svchost.exe\""	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
39	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exe

description	pid	Process	procid_target
PID 2308 set thread context of 2228	2308	svchost.exe	92
PID 2308 set thread context of 2328	2308	svchost.exe	322

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4432	schtasks.exe
2700	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exesvchost.exepowershell.exeClient.exesvchost.exepowershell.exeClient.exesvchost.exe

pid	Process
4984	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
4308	powershell.exe
4308	powershell.exe
1328	Client.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2228	svchost.exe
2308	svchost.exe
2308	svchost.exe
3320	powershell.exe
3320	powershell.exe
4448	Client.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid	Process
2308	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe

pid	Process
4064	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exesvchost.exesvchost.exesvchost.exeClient.exepowershell.exesvchost.exeClient.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4064	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
Token: SeDebugPrivilege	4984	svchost.exe
Token: SeDebugPrivilege	2308	svchost.exe
Token: SeDebugPrivilege	2228	svchost.exe
Token: SeDebugPrivilege	1328	Client.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2328	svchost.exe
Token: SeDebugPrivilege	4448	Client.exe
Token: SeDebugPrivilege	3320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.execmd.exesvchost.execmd.exesvchost.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 4064 wrote to memory of 5000	4064	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	79
PID 4064 wrote to memory of 5000	4064	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	79
PID 4064 wrote to memory of 5000	4064	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	79
PID 5000 wrote to memory of 4984	5000	cmd.exe	81
PID 5000 wrote to memory of 4984	5000	cmd.exe	81
PID 5000 wrote to memory of 4984	5000	cmd.exe	81
PID 4984 wrote to memory of 2060	4984	svchost.exe	84
PID 4984 wrote to memory of 2060	4984	svchost.exe	84
PID 4984 wrote to memory of 2060	4984	svchost.exe	84
PID 4984 wrote to memory of 3956	4984	svchost.exe	86
PID 4984 wrote to memory of 3956	4984	svchost.exe	86
PID 4984 wrote to memory of 3956	4984	svchost.exe	86
PID 3956 wrote to memory of 2308	3956	cmd.exe	88
PID 3956 wrote to memory of 2308	3956	cmd.exe	88
PID 3956 wrote to memory of 2308	3956	cmd.exe	88
PID 2308 wrote to memory of 2900	2308	svchost.exe	89
PID 2308 wrote to memory of 2900	2308	svchost.exe	89
PID 2308 wrote to memory of 2900	2308	svchost.exe	89
PID 2900 wrote to memory of 4108	2900	cmd.exe	91
PID 2900 wrote to memory of 4108	2900	cmd.exe	91
PID 2900 wrote to memory of 4108	2900	cmd.exe	91
PID 2308 wrote to memory of 1884	2308	svchost.exe	93
PID 2308 wrote to memory of 1884	2308	svchost.exe	93
PID 2308 wrote to memory of 1884	2308	svchost.exe	93
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 1884 wrote to memory of 3612	1884	cmd.exe	95
PID 1884 wrote to memory of 3612	1884	cmd.exe	95
PID 1884 wrote to memory of 3612	1884	cmd.exe	95
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 2228	2308	svchost.exe	92
PID 2308 wrote to memory of 448	2308	svchost.exe	96
PID 2308 wrote to memory of 448	2308	svchost.exe	96
PID 2308 wrote to memory of 448	2308	svchost.exe	96
PID 448 wrote to memory of 1784	448	cmd.exe	98
PID 448 wrote to memory of 1784	448	cmd.exe	98
PID 448 wrote to memory of 1784	448	cmd.exe	98
PID 2308 wrote to memory of 2608	2308	svchost.exe	99
PID 2308 wrote to memory of 2608	2308	svchost.exe	99
PID 2308 wrote to memory of 2608	2308	svchost.exe	99
PID 2608 wrote to memory of 2044	2608	cmd.exe	101
PID 2608 wrote to memory of 2044	2608	cmd.exe	101
PID 2608 wrote to memory of 2044	2608	cmd.exe	101
PID 2308 wrote to memory of 2064	2308	svchost.exe	102
PID 2308 wrote to memory of 2064	2308	svchost.exe	102
PID 2308 wrote to memory of 2064	2308	svchost.exe	102
PID 2064 wrote to memory of 1380	2064	cmd.exe	104
PID 2064 wrote to memory of 1380	2064	cmd.exe	104
PID 2064 wrote to memory of 1380	2064	cmd.exe	104
PID 2308 wrote to memory of 2132	2308	svchost.exe	105
PID 2308 wrote to memory of 2132	2308	svchost.exe	105
PID 2308 wrote to memory of 2132	2308	svchost.exe	105
PID 2132 wrote to memory of 1928	2132	cmd.exe	107
PID 2132 wrote to memory of 1928	2132	cmd.exe	107
PID 2132 wrote to memory of 1928	2132	cmd.exe	107
PID 2308 wrote to memory of 1604	2308	svchost.exe	108
PID 2308 wrote to memory of 1604	2308	svchost.exe	108
PID 2308 wrote to memory of 1604	2308	svchost.exe	108
PID 1604 wrote to memory of 1864	1604	cmd.exe	110
PID 1604 wrote to memory of 1864	1604	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
"C:\Users\Admin\AppData\Local\Temp\f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4108
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4432
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J5wDuCvWphjb.bat" "
        7⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3140
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:984
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:5096
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4916
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3732
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:5048
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4920
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4304
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:212
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:5096
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3732
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3168
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4216
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4280
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:5024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3116
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:4808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3884
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:456
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3320
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3376
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:4196
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1380
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1508
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2700
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3316
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4208
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4808
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2432
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3188
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
2KB

MD5
a042e8cb0719bed21df1eca32ddf1b68

SHA1
cd0e0a4ef8c60468beca19e596674d14258d9696

SHA256
936ab2374950a548a39501e00adc14211b2c9a07e0b5590ce431d270f0482112

SHA512
19a51407f8c77c56d952d35f0d2fe01dcf498c090abbd4cda296968d4f7349da4d9fece183bdc3a793f5dd3e4fdc819a203908685f37890f96fe6e2ff55845e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
a042e8cb0719bed21df1eca32ddf1b68

SHA1
cd0e0a4ef8c60468beca19e596674d14258d9696

SHA256
936ab2374950a548a39501e00adc14211b2c9a07e0b5590ce431d270f0482112

SHA512
19a51407f8c77c56d952d35f0d2fe01dcf498c090abbd4cda296968d4f7349da4d9fece183bdc3a793f5dd3e4fdc819a203908685f37890f96fe6e2ff55845e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3f957b328acdf63405c85b6414dcfeca

SHA1
0a71b55627ddd2d851159dff4fd101c61919d5a8

SHA256
b8bf638dc86eb2b37f881513dcde5b7f973aa6d0782940cf9e76e3edadec0b66

SHA512
2eb567c75eb8aff43c595aa2a59cdba1cf472492004dd4aa220640ba936c8c176d36b1eca904c38509e046824850f29661f62304be9520a6d3dafd5e0804df16

Download Submit
C:\Users\Admin\AppData\Local\Temp\J5wDuCvWphjb.bat

Filesize
199B

MD5
e3734387e016b0573be2467d560f698b

SHA1
e1c53668e001787a74f1b848d84c57a723dd3371

SHA256
a18b3b1454300b9bca526f50768998b1cbcc54185aae6b844bd3b21ae9cbdaf4

SHA512
c68aa1b09ff415b049aa240aa7dd7af490a48deae7eff73009d5f32b8b6f54bb72ebfbdb5e31efb4fa55154c98d61e7e64b98b75ea964567d0c7f2d7623f734a

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
memory/176-185-0x0000000000000000-mapping.dmp

Download
memory/384-180-0x0000000000000000-mapping.dmp

Download
memory/448-152-0x0000000000000000-mapping.dmp

Download
memory/616-187-0x0000000000000000-mapping.dmp

Download
memory/804-196-0x0000000000000000-mapping.dmp

Download
memory/952-208-0x0000000000000000-mapping.dmp

Download
memory/984-184-0x0000000000000000-mapping.dmp

Download
memory/1188-183-0x0000000000000000-mapping.dmp

Download
memory/1380-159-0x0000000000000000-mapping.dmp

Download
memory/1504-165-0x0000000000000000-mapping.dmp

Download
memory/1604-162-0x0000000000000000-mapping.dmp

Download
memory/1636-174-0x0000000000000000-mapping.dmp

Download
memory/1784-153-0x0000000000000000-mapping.dmp

Download
memory/1840-203-0x0000000000000000-mapping.dmp

Download
memory/1864-163-0x0000000000000000-mapping.dmp

Download
memory/1884-148-0x0000000000000000-mapping.dmp

Download
memory/1928-161-0x0000000000000000-mapping.dmp

Download
memory/2044-155-0x0000000000000000-mapping.dmp

Download
memory/2060-140-0x0000000000000000-mapping.dmp

Download
memory/2064-158-0x0000000000000000-mapping.dmp

Download
memory/2132-160-0x0000000000000000-mapping.dmp

Download
memory/2228-156-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2228-151-0x0000000000000000-mapping.dmp

Download
memory/2228-197-0x0000000007340000-0x000000000737C000-memory.dmp

Filesize
240KB

Download
memory/2228-168-0x0000000006DE0000-0x0000000006DF2000-memory.dmp

Filesize
72KB

Download
memory/2248-167-0x0000000000000000-mapping.dmp

Download
memory/2268-209-0x0000000000000000-mapping.dmp

Download
memory/2308-149-0x000000000A8F0000-0x000000000A912000-memory.dmp

Filesize
136KB

Download
memory/2308-142-0x0000000000000000-mapping.dmp

Download
memory/2384-188-0x0000000000000000-mapping.dmp

Download
memory/2412-164-0x0000000000000000-mapping.dmp

Download
memory/2416-166-0x0000000000000000-mapping.dmp

Download
memory/2556-198-0x0000000000000000-mapping.dmp

Download
memory/2564-191-0x0000000000000000-mapping.dmp

Download
memory/2608-154-0x0000000000000000-mapping.dmp

Download
memory/2836-173-0x0000000000000000-mapping.dmp

Download
memory/2880-172-0x0000000000000000-mapping.dmp

Download
memory/2900-146-0x0000000000000000-mapping.dmp

Download
memory/2952-169-0x0000000000000000-mapping.dmp

Download
memory/3120-204-0x0000000000000000-mapping.dmp

Download
memory/3140-182-0x0000000000000000-mapping.dmp

Download
memory/3320-235-0x000000006C560000-0x000000006C5AC000-memory.dmp

Filesize
304KB

Download
memory/3320-236-0x00000000047F5000-0x00000000047F7000-memory.dmp

Filesize
8KB

Download
memory/3356-192-0x0000000000000000-mapping.dmp

Download
memory/3380-200-0x0000000000000000-mapping.dmp

Download
memory/3456-186-0x0000000000000000-mapping.dmp

Download
memory/3600-201-0x0000000000000000-mapping.dmp

Download
memory/3612-150-0x0000000000000000-mapping.dmp

Download
memory/3732-199-0x0000000000000000-mapping.dmp

Download
memory/3740-202-0x0000000000000000-mapping.dmp

Download
memory/3944-179-0x0000000000000000-mapping.dmp

Download
memory/3956-141-0x0000000000000000-mapping.dmp

Download
memory/4028-171-0x0000000000000000-mapping.dmp

Download
memory/4060-175-0x0000000000000000-mapping.dmp

Download
memory/4064-132-0x0000000007E50000-0x00000000083F4000-memory.dmp

Filesize
5.6MB

Download
memory/4064-131-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/4064-133-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/4064-130-0x00000000005D0000-0x00000000006F6000-memory.dmp

Filesize
1.1MB

Download
memory/4080-189-0x0000000000000000-mapping.dmp

Download
memory/4108-147-0x0000000000000000-mapping.dmp

Download
memory/4308-223-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/4308-220-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/4308-226-0x0000000007A00000-0x0000000007A08000-memory.dmp

Filesize
32KB

Download
memory/4308-225-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/4308-224-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/4308-222-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/4308-221-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/4308-219-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/4308-218-0x000000006C570000-0x000000006C5BC000-memory.dmp

Filesize
304KB

Download
memory/4308-212-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/4308-213-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/4308-214-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4308-215-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/4308-216-0x0000000002A55000-0x0000000002A57000-memory.dmp

Filesize
8KB

Download
memory/4308-217-0x00000000073B0000-0x00000000073E2000-memory.dmp

Filesize
200KB

Download
memory/4316-181-0x0000000000000000-mapping.dmp

Download
memory/4332-205-0x0000000000000000-mapping.dmp

Download
memory/4432-206-0x0000000000000000-mapping.dmp

Download
memory/4516-207-0x0000000000000000-mapping.dmp

Download
memory/4652-178-0x0000000000000000-mapping.dmp

Download
memory/4836-170-0x0000000000000000-mapping.dmp

Download
memory/4916-194-0x0000000000000000-mapping.dmp

Download
memory/4940-195-0x0000000000000000-mapping.dmp

Download
memory/4944-177-0x0000000000000000-mapping.dmp

Download
memory/4980-176-0x0000000000000000-mapping.dmp

Download
memory/4984-137-0x0000000009820000-0x00000000099E2000-memory.dmp

Filesize
1.8MB

Download
memory/4984-136-0x0000000008A00000-0x0000000008A66000-memory.dmp

Filesize
408KB

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download
memory/4984-138-0x0000000009F20000-0x000000000A44C000-memory.dmp

Filesize
5.2MB

Download
memory/4984-139-0x0000000009D70000-0x0000000009D92000-memory.dmp

Filesize
136KB

Download
memory/5000-134-0x0000000000000000-mapping.dmp

Download
memory/5096-190-0x0000000000000000-mapping.dmp

Download
memory/5108-193-0x0000000000000000-mapping.dmp

Download