Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 08:16
Behavioral task
behavioral1
Sample
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
Resource
win10v2004-20240226-en
General
-
Target
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
-
Size
1.9MB
-
MD5
2a0c47d8f5e14cfda0437c59c57fbce9
-
SHA1
a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
-
SHA256
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
-
SHA512
790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5
-
SSDEEP
24576:ZcIqg3pZ9Lbp1x5mMnbJ4ANfUAlkDd/2uUpET57RLGKETv/cyUM6MniOlsxvZBSg:3rhDbJ4dAlkpuuUpY57cKEr0a7iOyKc
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1108 schtasks.exe 2656 schtasks.exe 2880 schtasks.exe 1460 schtasks.exe 1136 schtasks.exe 2892 schtasks.exe 344 schtasks.exe 2852 schtasks.exe 1360 schtasks.exe 796 schtasks.exe 2868 schtasks.exe 464 schtasks.exe 2536 schtasks.exe 3044 schtasks.exe 744 schtasks.exe 2500 schtasks.exe 2412 schtasks.exe 2536 schtasks.exe File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1276 schtasks.exe 2236 schtasks.exe 3036 schtasks.exe 2300 schtasks.exe 748 schtasks.exe 1036 schtasks.exe 1500 schtasks.exe 2920 schtasks.exe 2664 schtasks.exe 3044 schtasks.exe 1932 schtasks.exe 2732 schtasks.exe 1816 schtasks.exe 2728 schtasks.exe 1944 schtasks.exe 2748 schtasks.exe 2572 schtasks.exe 2276 schtasks.exe 1940 schtasks.exe 560 schtasks.exe 2944 schtasks.exe 528 schtasks.exe 2408 schtasks.exe 2400 schtasks.exe 2012 schtasks.exe 1276 schtasks.exe 2576 schtasks.exe 1948 schtasks.exe 2592 schtasks.exe 2656 schtasks.exe 1632 schtasks.exe 2616 schtasks.exe 2760 schtasks.exe 2384 schtasks.exe 1692 schtasks.exe 2012 schtasks.exe 2768 schtasks.exe 1340 schtasks.exe 2520 schtasks.exe 2076 schtasks.exe 2332 schtasks.exe 2004 schtasks.exe 2656 schtasks.exe 2168 schtasks.exe 2512 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 32 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\dwm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2712 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1784-1-0x00000000000D0000-0x00000000002CA000-memory.dmp dcrat C:\Windows\SchCache\services.exe dcrat behavioral1/memory/596-99-0x0000000001110000-0x000000000130A000-memory.dmp dcrat behavioral1/memory/932-329-0x0000000000CB0000-0x0000000000EAA000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1512 powershell.exe 676 powershell.exe 2036 powershell.exe 1680 powershell.exe 2864 powershell.exe 932 powershell.exe 824 powershell.exe 1292 powershell.exe 1848 powershell.exe 1096 powershell.exe 1852 powershell.exe 1920 powershell.exe 1700 powershell.exe 2948 powershell.exe 2088 powershell.exe 1668 powershell.exe 2352 powershell.exe 1844 powershell.exe 2276 powershell.exe 1448 powershell.exe 1708 powershell.exe 2116 powershell.exe 2540 powershell.exe 2652 powershell.exe 2060 powershell.exe 2072 powershell.exe 1120 powershell.exe 1712 powershell.exe 3012 powershell.exe 1688 powershell.exe 2676 powershell.exe 1420 powershell.exe 884 powershell.exe 1960 powershell.exe 396 powershell.exe 2076 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exewinlogon.exepid process 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1352 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1740 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 932 winlogon.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SchCache\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\de-DE\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Default\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Start Menu\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SchCache\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Logs\\CBS\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Default\\powershell.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Application Data\\wininit.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Favorites\\dwm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\System.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Application Data\\wininit.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Favorites\\dwm.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Logs\\CBS\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\de-DE\\services.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\System.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Start Menu\\smss.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Drops file in Program Files directory 42 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exedescription ioc process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX85A7.tmp 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\42af1c969fbb7b 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Common Files\Services\101b941d020240 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\d37dbfb5f5e1cb 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Windows Sidebar\27d1bcfc3c54e0 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\sppsvc.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Windows Media Player\it-IT\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Windows Media Player\it-IT\cc11b995f2a76d 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Google\CrashReports\0a1fd5f707cd16 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Common Files\Services\lsm.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\7a0fd90576e088 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Windows Mail\it-IT\f3b6ecef712a24 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\VideoLAN\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\Windows Sidebar\System.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\VideoLAN\c5b4cb5e9653cc 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Google\CrashReports\sppsvc.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\VideoLAN\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files (x86)\Common Files\Services\lsm.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\Windows Sidebar\System.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX8180.tmp 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Program Files\Windows Sidebar\RCX87BA.tmp 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\f3b6ecef712a24 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Drops file in Windows directory 20 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exedescription ioc process File created C:\Windows\de-DE\c5b4cb5e9653cc 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\SchCache\RCX89CE.tmp 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\servicing\Editions\cc11b995f2a76d 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\69ddcba757bf72 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\de-DE\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\SchCache\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\SchCache\c5b4cb5e9653cc 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\L2Schemas\24dbde2999530e 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\Logs\CBS\smss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\de-DE\RCX8393.tmp 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\SchCache\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\L2Schemas\WmiPrvSE.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\L2Schemas\WmiPrvSE.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\Logs\CBS\69ddcba757bf72 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\Logs\CBS\smss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\de-DE\services.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\servicing\Editions\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File created C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\servicing\Editions\winlogon.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe File opened for modification C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1680 schtasks.exe 2300 schtasks.exe 2236 schtasks.exe 2536 schtasks.exe 2760 schtasks.exe 2412 schtasks.exe 1228 schtasks.exe 2276 schtasks.exe 1036 schtasks.exe 2032 schtasks.exe 796 schtasks.exe 2500 schtasks.exe 1860 schtasks.exe 2332 schtasks.exe 2728 schtasks.exe 2248 schtasks.exe 2384 schtasks.exe 1136 schtasks.exe 1108 schtasks.exe 3044 schtasks.exe 2748 schtasks.exe 2004 schtasks.exe 2920 schtasks.exe 1692 schtasks.exe 3036 schtasks.exe 920 schtasks.exe 2768 schtasks.exe 924 schtasks.exe 2576 schtasks.exe 2056 schtasks.exe 2868 schtasks.exe 344 schtasks.exe 2012 schtasks.exe 2408 schtasks.exe 2572 schtasks.exe 2852 schtasks.exe 1644 schtasks.exe 1312 schtasks.exe 3044 schtasks.exe 1500 schtasks.exe 1632 schtasks.exe 3044 schtasks.exe 1948 schtasks.exe 1816 schtasks.exe 1276 schtasks.exe 2096 schtasks.exe 1036 schtasks.exe 2656 schtasks.exe 1340 schtasks.exe 2488 schtasks.exe 2012 schtasks.exe 464 schtasks.exe 2992 schtasks.exe 1460 schtasks.exe 1984 schtasks.exe 2520 schtasks.exe 2732 schtasks.exe 2444 schtasks.exe 748 schtasks.exe 2512 schtasks.exe 1276 schtasks.exe 2664 schtasks.exe 2144 schtasks.exe 744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepid process 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 1420 powershell.exe 1700 powershell.exe 1844 powershell.exe 2676 powershell.exe 932 powershell.exe 2652 powershell.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepowershell.exepowershell.exepowershell.exepowershell.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exedescription pid process Token: SeDebugPrivilege 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 1352 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1740 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 932 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.execmd.exe22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exedescription pid process target process PID 1784 wrote to memory of 1700 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1700 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1700 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1844 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1844 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1844 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2652 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2652 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2652 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1420 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1420 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1420 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 932 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 932 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 932 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2676 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2676 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 2676 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 1784 wrote to memory of 1284 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe cmd.exe PID 1784 wrote to memory of 1284 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe cmd.exe PID 1784 wrote to memory of 1284 1784 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe cmd.exe PID 1284 wrote to memory of 1040 1284 cmd.exe w32tm.exe PID 1284 wrote to memory of 1040 1284 cmd.exe w32tm.exe PID 1284 wrote to memory of 1040 1284 cmd.exe w32tm.exe PID 1284 wrote to memory of 596 1284 cmd.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe PID 1284 wrote to memory of 596 1284 cmd.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe PID 1284 wrote to memory of 596 1284 cmd.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe PID 596 wrote to memory of 2864 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2864 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2864 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1448 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1448 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1448 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2076 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2076 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2076 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1120 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1120 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1120 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2060 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2060 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2060 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 824 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 824 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 824 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2072 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2072 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2072 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2088 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2088 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2088 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1680 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1680 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1680 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2276 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2276 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2276 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 396 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 396 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 396 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2948 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2948 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 2948 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe powershell.exe PID 596 wrote to memory of 1352 596 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8CdVUGgl87.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\servicing\Editions\winlogon.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\services.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\smss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\powershell.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\powershell.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3WhpAxeQ9a.bat"5⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Program Files\Windows Media Player\it-IT\winlogon.exe"C:\Program Files\Windows Media Player\it-IT\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\services.exe'" /f1⤵
- Process spawned unexpected child process
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Default\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f1⤵
- DcRat
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /f1⤵
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /rl HIGHEST /f1⤵PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /f1⤵
- DcRat
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /rl HIGHEST /f1⤵PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /f1⤵
- Creates scheduled task(s)
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /f1⤵
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3WhpAxeQ9a.batFilesize
267B
MD5f38ae231d913dedda6c38fd6d3c00385
SHA18036c266ceb5c61395fc14896bde7fd183770c40
SHA256b3e9ab2b82d71fb2ef08fbe76f224634a0e30339f924c2096f4cfd58b50051e7
SHA512faacf8900dea9f2896d4560b9b8478603d95a2ae5c74f2a45ba2d39357de8fb672f98056674d8c8a1a88d8ab2d904fd6b03ea1374bb936cadc6f0b89a6052165
-
C:\Users\Admin\AppData\Local\Temp\8CdVUGgl87.batFilesize
267B
MD5d0ac11108337841acbea702e4df93ca5
SHA1d9f4a94485caefa88bca9ded6fb2cf5bc8ca5f64
SHA25633c7e4662d0521f04a51239f94378f92667043e66ecc2bc6286c1d26e4775f13
SHA51255a6daf1cbbbcc1649eb69486469a0369916d5135002349f4e579b6464b1f6c23f8c7da5e3bd0fb497d5027b2106b8207eb2c17b7565fc142ba8e0fb8a960b1a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e84a3fe7a1d7aa6c72cae118b9533d44
SHA1f18df3cf44b2dc94806e4d6993528def429111ff
SHA2569a90619b57e9dace0e978d84dd40594f675cb2a2f4617134e63aea2b0557a760
SHA512686f2c4d7899e83972e862e9df6f0f607b09846fd2ea4612c3f8a10c175b14bdf08d1aff1aabce0fac48de2b79bc6cd73ee467d6b6de76fd86b8411199c61fd8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5bda2eef0c6d24b4216072ef473ed7ca9
SHA1692844b083bf290652eea81ddd0df5f9a2e126c6
SHA25667563dba4ecc35da20ba2e9e2e6f3ea4eabb2f4f3d81e4212e08cb894f337609
SHA512544df5733b7a7d2c8e3e39c238cddc17ab85ccdc76bd0db21a9790916da95826e3372d56b9dce283fbbe3d1a9ded4e44cfe9ba18dc6f1c2dc5cffefba91de2ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d50e8cb2ad9d922fadf9f03ded212bbd
SHA1ee68faf8abd3b55c830e5c536c3e8e52e365da07
SHA256f3e0ad1d3b1e0139e04b49d780fab96b718b8b56763f6715888bf4758a1fd68c
SHA512393b6dfd6d15e8dd01be33fb17b15495d7c94f11a3e177d8bf3fa39f624d50f611d7efedd65f9cdb5ff68e7189488b693f9c2672792bf721843a7776a2b3d6cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5b3b1129db6de8067ced53495005830ba
SHA1e8f395db04da14e5acbe0ec33c17a964453f16ba
SHA256aed65ab04af6b37d6b9c28703fcc7ad6b28ec55ac7497a4601a64699181fe2f6
SHA5121ead5da1822fa747633f40e48e7090377ffd1df032433e1f355d3570c77f36fbb2625154704ee6e19643cc5c2a627231f725baeab02a84bf634eb98327f3248d
-
C:\Windows\SchCache\services.exeFilesize
1.9MB
MD52a0c47d8f5e14cfda0437c59c57fbce9
SHA1a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0
SHA25622cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
SHA512790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/596-99-0x0000000001110000-0x000000000130A000-memory.dmpFilesize
2.0MB
-
memory/932-329-0x0000000000CB0000-0x0000000000EAA000-memory.dmpFilesize
2.0MB
-
memory/932-367-0x0000000000B90000-0x0000000000BA2000-memory.dmpFilesize
72KB
-
memory/1420-94-0x000000001B200000-0x000000001B4E2000-memory.dmpFilesize
2.9MB
-
memory/1420-95-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB
-
memory/1784-9-0x0000000000560000-0x000000000056C000-memory.dmpFilesize
48KB
-
memory/1784-10-0x00000000022F0000-0x0000000002302000-memory.dmpFilesize
72KB
-
memory/1784-15-0x00000000023E0000-0x00000000023EE000-memory.dmpFilesize
56KB
-
memory/1784-16-0x00000000023F0000-0x00000000023F8000-memory.dmpFilesize
32KB
-
memory/1784-17-0x0000000002400000-0x000000000240E000-memory.dmpFilesize
56KB
-
memory/1784-18-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1784-19-0x0000000002490000-0x000000000249C000-memory.dmpFilesize
48KB
-
memory/1784-20-0x00000000024A0000-0x00000000024AA000-memory.dmpFilesize
40KB
-
memory/1784-21-0x00000000024B0000-0x00000000024BC000-memory.dmpFilesize
48KB
-
memory/1784-28-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1784-13-0x00000000023C0000-0x00000000023C8000-memory.dmpFilesize
32KB
-
memory/1784-12-0x00000000023B0000-0x00000000023BC000-memory.dmpFilesize
48KB
-
memory/1784-11-0x00000000023A0000-0x00000000023AC000-memory.dmpFilesize
48KB
-
memory/1784-14-0x00000000023D0000-0x00000000023DC000-memory.dmpFilesize
48KB
-
memory/1784-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmpFilesize
4KB
-
memory/1784-96-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1784-7-0x0000000000530000-0x0000000000546000-memory.dmpFilesize
88KB
-
memory/1784-8-0x0000000000550000-0x0000000000560000-memory.dmpFilesize
64KB
-
memory/1784-6-0x0000000000500000-0x0000000000510000-memory.dmpFilesize
64KB
-
memory/1784-1-0x00000000000D0000-0x00000000002CA000-memory.dmpFilesize
2.0MB
-
memory/1784-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1784-5-0x00000000004E0000-0x00000000004FC000-memory.dmpFilesize
112KB
-
memory/1784-4-0x00000000004D0000-0x00000000004D8000-memory.dmpFilesize
32KB
-
memory/1784-3-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/2060-157-0x0000000002400000-0x0000000002408000-memory.dmpFilesize
32KB
-
memory/2060-156-0x000000001B440000-0x000000001B722000-memory.dmpFilesize
2.9MB