dcrat | fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Size

2.1MB
MD5

cd1a763ca658b71be35993a9291d4461
SHA1

2effbe1057c3c1aebd05f87ff7aa7459d9433f69
SHA256

fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6
SHA512

d7f3f0e680f81ae7f5062bdd62de252e4dabd06f10aab7623da2783ca8d455394aaf079b8363c797858f9626efea62c034413c00526ae0cfb4be57179736da39
SSDEEP

49152:D3B3BNkmneOg9/liOjsCpfAwq1jwaCJtn:zFBNkB9NiOjsC5A91jw5

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 53 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe		fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\f3b6ecef712a24		fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
		2040	schtasks.exe
		2688	schtasks.exe
		676	schtasks.exe
		2108	schtasks.exe
		1188	schtasks.exe
		1900	schtasks.exe
		2920	schtasks.exe
		2464	schtasks.exe
		2756	schtasks.exe
		328	schtasks.exe
		756	schtasks.exe
		584	schtasks.exe
		1448	schtasks.exe
		1920	schtasks.exe
		1688	schtasks.exe
		3024	schtasks.exe
		1060	schtasks.exe
		1648	schtasks.exe
		2140	schtasks.exe
		2488	schtasks.exe
		2852	schtasks.exe
		2344	schtasks.exe
		240	schtasks.exe
		2828	schtasks.exe
		1696	schtasks.exe
		2192	schtasks.exe
		2388	schtasks.exe
		1604	schtasks.exe
		2712	schtasks.exe
		3048	schtasks.exe
		2020	schtasks.exe
		352	schtasks.exe
		1012	schtasks.exe
		3028	schtasks.exe
		2352	schtasks.exe
		1960	schtasks.exe
		632	schtasks.exe
		2112	schtasks.exe
		2468	schtasks.exe
		1036	schtasks.exe
		2692	schtasks.exe
		2280	schtasks.exe
		1200	schtasks.exe
		1140	schtasks.exe
		1884	schtasks.exe
		1928	schtasks.exe
		1056	schtasks.exe
		2212	schtasks.exe
		1744	schtasks.exe
		1912	schtasks.exe
		1772	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2460	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2460	schtasks.exe	28

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000140000-0x0000000000356000-memory.dmp	dcrat
behavioral1/files/0x0006000000014b1c-32.dat	dcrat
behavioral1/files/0x0008000000015ca8-95.dat	dcrat
behavioral1/files/0x0008000000015cc5-137.dat	dcrat
behavioral1/files/0x0009000000015d0a-163.dat	dcrat
behavioral1/files/0x0036000000013a88-359.dat	dcrat
behavioral1/files/0x0036000000013a88-360.dat	dcrat

Detects executables packed with SmartAssembly 6 IoCs

resource	yara_rule
behavioral1/memory/3064-7-0x00000000006B0000-0x00000000006C0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/3064-12-0x00000000007B0000-0x00000000007BC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/3064-14-0x00000000007D0000-0x00000000007DC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/3064-16-0x00000000007E0000-0x00000000007EC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/3064-21-0x0000000000830000-0x000000000083C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/3064-22-0x0000000000840000-0x000000000084A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
2676	winlogon.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\AppPatch\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6 = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6 = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Resources\\Ease of Access Themes\\dllhost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\AppPatch\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Resources\\Ease of Access Themes\\dllhost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows Media Player\de-DE\audiodg.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows NT\RCX1FE8.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX2D64.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\audiodg.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\7a0fd90576e088	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows NT\explorer.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\VideoLAN\VLC\56085415360792	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\Windows NT\explorer.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\wininit.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX2863.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\VideoLAN\VLC\wininit.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\56085415360792	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCX1150.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX1354.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\wininit.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\f3b6ecef712a24	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows NT\7a0fd90576e088	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\wininit.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Program Files\Windows Media Player\de-DE\42af1c969fbb7b	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX23EE.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX316C.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\dllhost.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\AppPatch\lsass.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\AppPatch\6203df4a6bafc7	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\Resources\Ease of Access Themes\dllhost.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File created	C:\Windows\Resources\Ease of Access Themes\5940a34987c991	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\AppPatch\RCX265F.tmp	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
File opened for modification	C:\Windows\AppPatch\lsass.exe	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1604	schtasks.exe
3024	schtasks.exe
1140	schtasks.exe
632	schtasks.exe
3028	schtasks.exe
1900	schtasks.exe
2280	schtasks.exe
1056	schtasks.exe
1688	schtasks.exe
676	schtasks.exe
1928	schtasks.exe
2352	schtasks.exe
1012	schtasks.exe
2688	schtasks.exe
2020	schtasks.exe
1060	schtasks.exe
1696	schtasks.exe
352	schtasks.exe
2192	schtasks.exe
1200	schtasks.exe
2692	schtasks.exe
756	schtasks.exe
2388	schtasks.exe
1912	schtasks.exe
1772	schtasks.exe
2344	schtasks.exe
1744	schtasks.exe
2140	schtasks.exe
1188	schtasks.exe
2468	schtasks.exe
2756	schtasks.exe
2212	schtasks.exe
2108	schtasks.exe
1448	schtasks.exe
2852	schtasks.exe
2040	schtasks.exe
240	schtasks.exe
2488	schtasks.exe
1036	schtasks.exe
328	schtasks.exe
2920	schtasks.exe
2464	schtasks.exe
584	schtasks.exe
1960	schtasks.exe
2112	schtasks.exe
2712	schtasks.exe
1920	schtasks.exe
1648	schtasks.exe
2828	schtasks.exe
1884	schtasks.exe
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
1708	powershell.exe
2328	powershell.exe
2408	powershell.exe
2456	powershell.exe
2240	powershell.exe
2224	powershell.exe
2244	powershell.exe
1844	powershell.exe
1684	powershell.exe
2496	powershell.exe
1344	powershell.exe
992	powershell.exe
540	powershell.exe
616	powershell.exe
2236	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2676	winlogon.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2328	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	80
PID 3064 wrote to memory of 2328	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	80
PID 3064 wrote to memory of 2328	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	80
PID 3064 wrote to memory of 1708	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	81
PID 3064 wrote to memory of 1708	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	81
PID 3064 wrote to memory of 1708	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	81
PID 3064 wrote to memory of 332	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	83
PID 3064 wrote to memory of 332	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	83
PID 3064 wrote to memory of 332	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	83
PID 3064 wrote to memory of 2240	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	84
PID 3064 wrote to memory of 2240	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	84
PID 3064 wrote to memory of 2240	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	84
PID 3064 wrote to memory of 2860	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	85
PID 3064 wrote to memory of 2860	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	85
PID 3064 wrote to memory of 2860	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	85
PID 3064 wrote to memory of 1684	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	86
PID 3064 wrote to memory of 1684	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	86
PID 3064 wrote to memory of 1684	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	86
PID 3064 wrote to memory of 2236	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	87
PID 3064 wrote to memory of 2236	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	87
PID 3064 wrote to memory of 2236	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	87
PID 3064 wrote to memory of 2496	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	88
PID 3064 wrote to memory of 2496	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	88
PID 3064 wrote to memory of 2496	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	88
PID 3064 wrote to memory of 2224	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	90
PID 3064 wrote to memory of 2224	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	90
PID 3064 wrote to memory of 2224	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	90
PID 3064 wrote to memory of 2456	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	91
PID 3064 wrote to memory of 2456	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	91
PID 3064 wrote to memory of 2456	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	91
PID 3064 wrote to memory of 1344	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	93
PID 3064 wrote to memory of 1344	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	93
PID 3064 wrote to memory of 1344	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	93
PID 3064 wrote to memory of 1844	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	94
PID 3064 wrote to memory of 1844	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	94
PID 3064 wrote to memory of 1844	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	94
PID 3064 wrote to memory of 2408	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	97
PID 3064 wrote to memory of 2408	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	97
PID 3064 wrote to memory of 2408	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	97
PID 3064 wrote to memory of 2244	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	98
PID 3064 wrote to memory of 2244	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	98
PID 3064 wrote to memory of 2244	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	98
PID 3064 wrote to memory of 540	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	99
PID 3064 wrote to memory of 540	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	99
PID 3064 wrote to memory of 540	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	99
PID 3064 wrote to memory of 992	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	101
PID 3064 wrote to memory of 992	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	101
PID 3064 wrote to memory of 992	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	101
PID 3064 wrote to memory of 616	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	102
PID 3064 wrote to memory of 616	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	102
PID 3064 wrote to memory of 616	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	102
PID 3064 wrote to memory of 1560	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	103
PID 3064 wrote to memory of 1560	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	103
PID 3064 wrote to memory of 1560	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	103
PID 3064 wrote to memory of 488	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	116
PID 3064 wrote to memory of 488	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	116
PID 3064 wrote to memory of 488	3064	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe	116
PID 488 wrote to memory of 2708	488	cmd.exe	118
PID 488 wrote to memory of 2708	488	cmd.exe	118
PID 488 wrote to memory of 2708	488	cmd.exe	118
PID 488 wrote to memory of 2676	488	cmd.exe	119
PID 488 wrote to memory of 2676	488	cmd.exe	119
PID 488 wrote to memory of 2676	488	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
"C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\de-DE\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2708
- - C:\MSOCache\All Users\winlogon.exe
    "C:\MSOCache\All Users\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6f" /sc MINUTE /mo 6 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6f" /sc MINUTE /mo 10 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\de-DE\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\winlogon.exe

Filesize
826KB

MD5
c43eaf253d2b016a96cf245e9f54df02

SHA1
8374a4d054127f46c02508858f339bf9d43335ae

SHA256
2d809fc245d9da2374cc2d307fd234b94e7c17850a2f09f6f2eb603ddbb6f5ac

SHA512
8e420cc675ff9199607eb91b61b618db7204630e1d26ad3aae393d632ce987199ea44b2e8d13f5c70dbc491274c4f83b159ce9b256a12091e06dfeea5739ba39

Download Submit
C:\MSOCache\All Users\winlogon.exe

Filesize
824KB

MD5
f5b5061afb7f71b4b82a945b3d82464e

SHA1
dd0ab464a13d68c0d154831a4568ceb4e579e612

SHA256
390e0e258243b64b734f680eeb870a27466133a1844c40de3dfd9ba7f0f47719

SHA512
e9d825d36d3483e31ad4d183075d045f2033bd80c95d599030d1698230970bcbe20f886ddd535ce35ccab2bb3a3e3a11f475b27d982e7fbc4de4b65aa1066cc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
2.1MB

MD5
cd1a763ca658b71be35993a9291d4461

SHA1
2effbe1057c3c1aebd05f87ff7aa7459d9433f69

SHA256
fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6

SHA512
d7f3f0e680f81ae7f5062bdd62de252e4dabd06f10aab7623da2783ca8d455394aaf079b8363c797858f9626efea62c034413c00526ae0cfb4be57179736da39

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
2.1MB

MD5
3799e0a652c0254ba47c738eaf844e3d

SHA1
76336712fc387260498c7ca1ecdca52dfb7c8d3a

SHA256
66e440fc7d1c8af6ea86466fab5614f48303fb98c2e3b2a2a50c3364424f4ab2

SHA512
4a2aeb5fa17fcd07dbae69b5e404d8ab3410cc48ed0020e9b639f8d40e91a7536543228d08d3aff9dd9916951f24a52792fe21c5bb322ebcb011be2712e5823c

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\wininit.exe

Filesize
2.1MB

MD5
1d025d5e76483b4edf9a85cddfbd5591

SHA1
ecd59806384d61525d3c4a5a88fd7084ba70b8ad

SHA256
f1052c3c8d3d96ee0bb261710c64e727ffc8a399ea3bb870ead04522c639714e

SHA512
2ba474c79b3643bfce8359f7107e78a94cb81275cbe9bc489897d8d1497f2afa16d0de36135ed4d546644a2dabfc63074721f0d9ba46924203fe2931ec8b8765

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1rvPQXwC.bat

Filesize
199B

MD5
b7ab2ca2bf18586c6c3985b2cf34e56e

SHA1
38a0faa2b5f77056e2cde526e361a4c9bf92c105

SHA256
dff96d6b553111bc1447a5dc96705032ff882a2bf78c52c94809089368e56a27

SHA512
1830d8e1d3f66ac28adc6dd82ef9c973e7fd738467d13bd6d4535bd60ec8330f26fbc6377942115ce11c06cf4cfd8a1d08acb72a65613315b1662e23de0042ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
696b22a9b4e445e53052eaafd32ea5ec

SHA1
b4acbe0a59aedf39b69bb94d7502d0ac62884ad4

SHA256
39bfde906a439865a264fb7477caede3445ebc061f41dacd169476451dd7423c

SHA512
46ac541c532224fc43d75967b4d370182b4a3fa4c3863e5d69bda01928131786e68174e64bd629cc7a17dcc0f578fe1b7d7efe9ae887e9eedd77e0750b395bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
2KB

MD5
f0fbdefadb48c26bc8a742c46ef36e30

SHA1
03331fd4dd48ebe167747ae12e19ffa813e19cf9

SHA256
ed4933aacc27f9afc43d6637a5ee1b90e33b256f09cdac0162aadf4e98da85a7

SHA512
3da05ce85f70aa4cdd483893230d6aeadce064a98814566e7efa06582920544db81167bbb01539d50a11ec1af8b311827549ce8132591564decce86bb54d6674

Download Submit
C:\Windows\Resources\Ease of Access Themes\dllhost.exe

Filesize
2.1MB

MD5
62d2adba22f4309cc90443ef7fa8f244

SHA1
de059e61a0373184c29b751ae31a5643fcd05b2b

SHA256
3a2239265093f50f65744e242ce9ee75f28720856133c010db80e2044fe9766f

SHA512
19634dbf5e6218ed60fb2916639264a650e15edb0e28b5c54b09ad7f19f5879a133bd6283060f59167cf6f29ed8fac4b6f3c13f341f3eb7673e4fad369ec3b8a

Download Submit
memory/1708-196-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1708-266-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/1708-271-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/1708-267-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/1708-272-0x0000000002E64000-0x0000000002E67000-memory.dmp

Filesize
12KB

Download
memory/1708-183-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1708-268-0x0000000002E6B000-0x0000000002ED2000-memory.dmp

Filesize
412KB

Download
memory/1708-269-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/1708-270-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2224-294-0x0000000002F60000-0x0000000002FE0000-memory.dmp

Filesize
512KB

Download
memory/2224-295-0x0000000002F60000-0x0000000002FE0000-memory.dmp

Filesize
512KB

Download
memory/2224-296-0x0000000002F60000-0x0000000002FE0000-memory.dmp

Filesize
512KB

Download
memory/2224-293-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2240-292-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2240-289-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2240-291-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/2240-290-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2244-298-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2244-297-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2328-278-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2328-273-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2328-276-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2328-277-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2328-275-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2328-274-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2408-280-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2408-281-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2408-282-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2408-283-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2408-279-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-285-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2456-284-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-301-0x0000000002BAB000-0x0000000002C12000-memory.dmp

Filesize
412KB

Download
memory/2456-287-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2456-288-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2456-286-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2496-299-0x000007FEECD50000-0x000007FEED6ED000-memory.dmp

Filesize
9.6MB

Download
memory/2496-300-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/3064-17-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/3064-9-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/3064-16-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/3064-15-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/3064-14-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/3064-13-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/3064-0-0x0000000000140000-0x0000000000356000-memory.dmp

Filesize
2.1MB

Download
memory/3064-18-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3064-19-0x0000000000820000-0x000000000082E000-memory.dmp

Filesize
56KB

Download
memory/3064-20-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/3064-12-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/3064-11-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/3064-10-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/3064-197-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-8-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/3064-7-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/3064-6-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/3064-5-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/3064-4-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/3064-3-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/3064-21-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/3064-22-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/3064-23-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/3064-67-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/3064-2-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/3064-1-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

Filesize
9.9MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\", \"C:\\Users\\Public\\services.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\dllhost.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\", \"C:\\Users\\Public\\services.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\audiodg.exe\", \"C:\\Program Files\\Windows NT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\wininit.exe\", \"C:\\Windows\\AppPatch\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\audiodg.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\explorer.exe\", \"C:\\MSOCache\\All Users\\winlogon.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\wininit.exe\""	fee7cab33207da0e3f5dad0fb1d59d825a25d231ad6a24279bfb2656f9dfeae6.exe