dcrat | 9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

Analysis

max time kernel
22s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb378eeb6557e9441a1b77daaf259b2d.exe
Size

1.3MB
MD5

bb378eeb6557e9441a1b77daaf259b2d
SHA1

d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70
SHA256

9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc
SHA512

7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca
SSDEEP

24576:FZXxCOFbh94+AkAUewXW4DFfepe8YT3f6j7ynSS52qs:FPCOFU+ewJfeg8Y2j2nh52

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 58 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3640	schtasks.exe
		4288	schtasks.exe
		2680	schtasks.exe
		2332	schtasks.exe
		4468	schtasks.exe
		2380	schtasks.exe
		2228	schtasks.exe
		3600	schtasks.exe
		1980	schtasks.exe
		4828	schtasks.exe
		2536	schtasks.exe
		768	schtasks.exe
		4748	schtasks.exe
		2308	schtasks.exe
		1648	schtasks.exe
		2388	schtasks.exe
		1180	schtasks.exe
		2148	schtasks.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe		bb378eeb6557e9441a1b77daaf259b2d.exe
		2224	schtasks.exe
		4320	schtasks.exe
		2324	schtasks.exe
		1556	schtasks.exe
		684	schtasks.exe
		820	schtasks.exe
		1316	schtasks.exe
		2700	schtasks.exe
		1144	schtasks.exe
		3916	schtasks.exe
		1708	schtasks.exe
		2936	schtasks.exe
		4480	schtasks.exe
		4472	schtasks.exe
		5024	schtasks.exe
		4244	schtasks.exe
		404	schtasks.exe
		2812	schtasks.exe
		4792	schtasks.exe
		1752	schtasks.exe
		5080	schtasks.exe
		4040	schtasks.exe
		3244	schtasks.exe
		1112	schtasks.exe
		212	schtasks.exe
		1012	schtasks.exe
		1520	schtasks.exe
		4756	schtasks.exe
		2448	schtasks.exe
		4780	schtasks.exe
		4564	schtasks.exe
		656	schtasks.exe
		3748	schtasks.exe
		2584	schtasks.exe
		4736	schtasks.exe
		2432	schtasks.exe
		4080	schtasks.exe
		960	schtasks.exe
		2768	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2196	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2196	schtasks.exe	79

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3788-133-0x0000000000820000-0x0000000000970000-memory.dmp	dcrat
behavioral2/files/0x00060000000230b1-145.dat	dcrat
behavioral2/files/0x00060000000230dd-182.dat	dcrat
behavioral2/files/0x00060000000230dd-183.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	bb378eeb6557e9441a1b77daaf259b2d.exe

Executes dropped EXE 1 IoCs

pid	Process
4016	Registry.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default User\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Local Settings\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Sidebar\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\Searches\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\twain_32\\services.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Sidebar\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Mail\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb378eeb6557e9441a1b77daaf259b2d = "\"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Mail\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\Searches\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\twain_32\\services.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Quirky\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\odt\\winlogon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Local Settings\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default User\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb378eeb6557e9441a1b77daaf259b2d = "\"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\odt\\winlogon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Media\\Quirky\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\e6c9b481da804f	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\VideoLAN\VLC\skins\ee2ad38f3d4382	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\121e5b5079f7c0	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows NT\43755be926f811	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\0a1fd5f707cd16	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\WindowsApps\SearchApp.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ee2ad38f3d4382	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Sidebar\7a0fd90576e088	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Mail\66fc9ff0ee96c2	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files (x86)\Windows NT\bb378eeb6557e9441a1b77daaf259b2d.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\OfficeClickToRun.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\VideoLAN\VLC\skins\Registry.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Mail\sihost.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Program Files\Windows Sidebar\explorer.exe	bb378eeb6557e9441a1b77daaf259b2d.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\c5b4cb5e9653cc	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Windows\Media\Quirky\dwm.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Windows\Media\Quirky\6cb0b6c459d5d3	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Windows\LanguageOverlayCache\RuntimeBroker.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Windows\OCR\csrss.exe	bb378eeb6557e9441a1b77daaf259b2d.exe
File created	C:\Windows\twain_32\services.exe	bb378eeb6557e9441a1b77daaf259b2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1316	schtasks.exe
4828	schtasks.exe
1556	schtasks.exe
1520	schtasks.exe
3244	schtasks.exe
212	schtasks.exe
4748	schtasks.exe
2228	schtasks.exe
2448	schtasks.exe
2432	schtasks.exe
960	schtasks.exe
2936	schtasks.exe
5024	schtasks.exe
4468	schtasks.exe
2308	schtasks.exe
2812	schtasks.exe
2380	schtasks.exe
1648	schtasks.exe
2148	schtasks.exe
1012	schtasks.exe
1980	schtasks.exe
1180	schtasks.exe
2584	schtasks.exe
820	schtasks.exe
1708	schtasks.exe
3916	schtasks.exe
4080	schtasks.exe
4564	schtasks.exe
4756	schtasks.exe
656	schtasks.exe
684	schtasks.exe
1112	schtasks.exe
4780	schtasks.exe
404	schtasks.exe
2224	schtasks.exe
5080	schtasks.exe
4040	schtasks.exe
4320	schtasks.exe
2332	schtasks.exe
2324	schtasks.exe
3748	schtasks.exe
2536	schtasks.exe
1144	schtasks.exe
4244	schtasks.exe
2768	schtasks.exe
4472	schtasks.exe
4480	schtasks.exe
3600	schtasks.exe
4792	schtasks.exe
1752	schtasks.exe
2700	schtasks.exe
4736	schtasks.exe
2680	schtasks.exe
768	schtasks.exe
3640	schtasks.exe
4288	schtasks.exe
2388	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	bb378eeb6557e9441a1b77daaf259b2d.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
3788	bb378eeb6557e9441a1b77daaf259b2d.exe
4016	Registry.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	bb378eeb6557e9441a1b77daaf259b2d.exe
Token: SeDebugPrivilege	4016	Registry.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1580	3788	bb378eeb6557e9441a1b77daaf259b2d.exe	137
PID 3788 wrote to memory of 1580	3788	bb378eeb6557e9441a1b77daaf259b2d.exe	137
PID 1580 wrote to memory of 696	1580	cmd.exe	139
PID 1580 wrote to memory of 696	1580	cmd.exe	139
PID 1580 wrote to memory of 4016	1580	cmd.exe	140
PID 1580 wrote to memory of 4016	1580	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe
"C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bP2xhvpFKH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:696
- - C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb378eeb6557e9441a1b77daaf259b2db" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\bb378eeb6557e9441a1b77daaf259b2d.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb378eeb6557e9441a1b77daaf259b2d" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\bb378eeb6557e9441a1b77daaf259b2d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb378eeb6557e9441a1b77daaf259b2db" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\bb378eeb6557e9441a1b77daaf259b2d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Quirky\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Quirky\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe

Filesize
1.3MB

MD5
bb378eeb6557e9441a1b77daaf259b2d

SHA1
d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

SHA256
9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

SHA512
7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe

Filesize
1.3MB

MD5
bb378eeb6557e9441a1b77daaf259b2d

SHA1
d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

SHA256
9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

SHA512
7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

Download Submit
C:\Program Files\Windows Sidebar\explorer.exe

Filesize
1.3MB

MD5
bb378eeb6557e9441a1b77daaf259b2d

SHA1
d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

SHA256
9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

SHA512
7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\bP2xhvpFKH.bat

Filesize
218B

MD5
0ece388cc275a82cbcd76715bb39b276

SHA1
d4052d0a3eef479b2c61dc070efd88e92c3a8bc6

SHA256
f60a951750549997224bf79c5701e7a9926fc580fa93ff31ca8cde98504ffd60

SHA512
12fad073e4031913087370ab7896328c078c91667efa335804517a6700f3903de16ca371f5d6ffd44587dc65470b44cf8bd24cfe81a5e389f2039512e3d91ec4

Download Submit
memory/3788-133-0x0000000000820000-0x0000000000970000-memory.dmp

Filesize
1.3MB

Download
memory/3788-134-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/3788-135-0x0000000001330000-0x0000000001380000-memory.dmp

Filesize
320KB

Download
memory/3788-136-0x000000001C370000-0x000000001C898000-memory.dmp

Filesize
5.2MB

Download
memory/4016-184-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Windows\\Media\\Quirky\\dwm.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Registry.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Windows\\Media\\Quirky\\dwm.exe\", \"C:\\odt\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Windows\\Media\\Quirky\\dwm.exe\", \"C:\\odt\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Local Settings\\explorer.exe\", \"C:\\Users\\Default User\\sihost.exe\", \"C:\\Program Files\\Windows Mail\\sihost.exe\", \"C:\\Program Files (x86)\\Windows NT\\bb378eeb6557e9441a1b77daaf259b2d.exe\", \"C:\\Program Files\\Windows Sidebar\\explorer.exe\", \"C:\\Users\\Admin\\Searches\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\sppsvc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Schema\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RuntimeBroker.exe\", \"C:\\Windows\\twain_32\\services.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\odt\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\Registry.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\", \"C:\\Windows\\Media\\Quirky\\dwm.exe\""	bb378eeb6557e9441a1b77daaf259b2d.exe