Analysis Overview
SHA256
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
Threat Level: Known bad
The file 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Dcrat family
Modifies WinLogon for persistence
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 08:16
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 08:16
Reported
2024-05-31 08:19
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\", \"C:\\Users\\All Users\\Favorites\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\", \"C:\\Windows\\Logs\\CBS\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\", \"C:\\Users\\Default\\Application Data\\WMIADAP.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\", \"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\", \"C:\\Program Files\\VideoLAN\\services.exe\", \"C:\\Users\\All Users\\Start Menu\\smss.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\", \"C:\\Users\\Admin\\Cookies\\powershell.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\", \"C:\\Users\\Default\\powershell.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Application Data\\wininit.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\", \"C:\\Windows\\de-DE\\services.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\", \"C:\\Program Files\\Windows Sidebar\\System.exe\", \"C:\\Windows\\SchCache\\services.exe\", \"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\", \"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SchCache\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\de-DE\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\CrashReports\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Default\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Start Menu\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Common Files\\Services\\lsm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\SchCache\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Media Player\\it-IT\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Logs\\CBS\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Application Data\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Admin\\Cookies\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Users\\Default\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Application Data\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Favorites\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Mail\\it-IT\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\VideoLAN\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Application Data\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Favorites\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Logs\\CBS\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\de-DE\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Sidebar\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\audiodg.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\servicing\\Editions\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\inf\\Windows Workflow Foundation 3.0.0.0\\0410\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Start Menu\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\\WMIADAP.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\explorer.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e4002" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\services.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8CdVUGgl87.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\servicing\Editions\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\servicing\Editions\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Default\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\wininit.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3WhpAxeQ9a.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\WMIADAP.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\WMIADAP.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\WMIADAP.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\dwm.exe'
C:\Program Files\Windows Media Player\it-IT\winlogon.exe
"C:\Program Files\Windows Media Player\it-IT\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0913612.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
Files
memory/1784-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp
memory/1784-1-0x00000000000D0000-0x00000000002CA000-memory.dmp
memory/1784-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/1784-3-0x0000000000440000-0x000000000044E000-memory.dmp
memory/1784-4-0x00000000004D0000-0x00000000004D8000-memory.dmp
memory/1784-5-0x00000000004E0000-0x00000000004FC000-memory.dmp
memory/1784-6-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1784-8-0x0000000000550000-0x0000000000560000-memory.dmp
memory/1784-7-0x0000000000530000-0x0000000000546000-memory.dmp
memory/1784-9-0x0000000000560000-0x000000000056C000-memory.dmp
memory/1784-10-0x00000000022F0000-0x0000000002302000-memory.dmp
memory/1784-11-0x00000000023A0000-0x00000000023AC000-memory.dmp
memory/1784-12-0x00000000023B0000-0x00000000023BC000-memory.dmp
memory/1784-13-0x00000000023C0000-0x00000000023C8000-memory.dmp
memory/1784-14-0x00000000023D0000-0x00000000023DC000-memory.dmp
memory/1784-15-0x00000000023E0000-0x00000000023EE000-memory.dmp
memory/1784-16-0x00000000023F0000-0x00000000023F8000-memory.dmp
memory/1784-17-0x0000000002400000-0x000000000240E000-memory.dmp
memory/1784-18-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/1784-19-0x0000000002490000-0x000000000249C000-memory.dmp
memory/1784-20-0x00000000024A0000-0x00000000024AA000-memory.dmp
memory/1784-21-0x00000000024B0000-0x00000000024BC000-memory.dmp
memory/1784-28-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
C:\Windows\SchCache\services.exe
| MD5 | 2a0c47d8f5e14cfda0437c59c57fbce9 |
| SHA1 | a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0 |
| SHA256 | 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 |
| SHA512 | 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5 |
memory/1420-95-0x0000000001F40000-0x0000000001F48000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b3b1129db6de8067ced53495005830ba |
| SHA1 | e8f395db04da14e5acbe0ec33c17a964453f16ba |
| SHA256 | aed65ab04af6b37d6b9c28703fcc7ad6b28ec55ac7497a4601a64699181fe2f6 |
| SHA512 | 1ead5da1822fa747633f40e48e7090377ffd1df032433e1f355d3570c77f36fbb2625154704ee6e19643cc5c2a627231f725baeab02a84bf634eb98327f3248d |
memory/1420-94-0x000000001B200000-0x000000001B4E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8CdVUGgl87.bat
| MD5 | d0ac11108337841acbea702e4df93ca5 |
| SHA1 | d9f4a94485caefa88bca9ded6fb2cf5bc8ca5f64 |
| SHA256 | 33c7e4662d0521f04a51239f94378f92667043e66ecc2bc6286c1d26e4775f13 |
| SHA512 | 55a6daf1cbbbcc1649eb69486469a0369916d5135002349f4e579b6464b1f6c23f8c7da5e3bd0fb497d5027b2106b8207eb2c17b7565fc142ba8e0fb8a960b1a |
memory/1784-96-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/596-99-0x0000000001110000-0x000000000130A000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e84a3fe7a1d7aa6c72cae118b9533d44 |
| SHA1 | f18df3cf44b2dc94806e4d6993528def429111ff |
| SHA256 | 9a90619b57e9dace0e978d84dd40594f675cb2a2f4617134e63aea2b0557a760 |
| SHA512 | 686f2c4d7899e83972e862e9df6f0f607b09846fd2ea4612c3f8a10c175b14bdf08d1aff1aabce0fac48de2b79bc6cd73ee467d6b6de76fd86b8411199c61fd8 |
memory/2060-156-0x000000001B440000-0x000000001B722000-memory.dmp
memory/2060-157-0x0000000002400000-0x0000000002408000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bda2eef0c6d24b4216072ef473ed7ca9 |
| SHA1 | 692844b083bf290652eea81ddd0df5f9a2e126c6 |
| SHA256 | 67563dba4ecc35da20ba2e9e2e6f3ea4eabb2f4f3d81e4212e08cb894f337609 |
| SHA512 | 544df5733b7a7d2c8e3e39c238cddc17ab85ccdc76bd0db21a9790916da95826e3372d56b9dce283fbbe3d1a9ded4e44cfe9ba18dc6f1c2dc5cffefba91de2ec |
C:\Users\Admin\AppData\Local\Temp\3WhpAxeQ9a.bat
| MD5 | f38ae231d913dedda6c38fd6d3c00385 |
| SHA1 | 8036c266ceb5c61395fc14896bde7fd183770c40 |
| SHA256 | b3e9ab2b82d71fb2ef08fbe76f224634a0e30339f924c2096f4cfd58b50051e7 |
| SHA512 | faacf8900dea9f2896d4560b9b8478603d95a2ae5c74f2a45ba2d39357de8fb672f98056674d8c8a1a88d8ab2d904fd6b03ea1374bb936cadc6f0b89a6052165 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d50e8cb2ad9d922fadf9f03ded212bbd |
| SHA1 | ee68faf8abd3b55c830e5c536c3e8e52e365da07 |
| SHA256 | f3e0ad1d3b1e0139e04b49d780fab96b718b8b56763f6715888bf4758a1fd68c |
| SHA512 | 393b6dfd6d15e8dd01be33fb17b15495d7c94f11a3e177d8bf3fa39f624d50f611d7efedd65f9cdb5ff68e7189488b693f9c2672792bf721843a7776a2b3d6cc |
memory/932-329-0x0000000000CB0000-0x0000000000EAA000-memory.dmp
memory/932-367-0x0000000000B90000-0x0000000000BA2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 08:16
Reported
2024-05-31 08:19
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\", \"C:\\odt\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\", \"C:\\odt\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\PrintDialog\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Public\\Music\\spoolsv.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\odt\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\Searches\\dllhost.exe\", \"C:\\Users\\Admin\\PrintHood\\msedge.exe\", \"C:\\odt\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| N/A | N/A | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\odt\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\odt\\StartMenuExperienceHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\PrintDialog\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Admin\\Searches\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Music\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\PrintHood\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Searches\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Music\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Searches\\dllhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Download\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\PlaceholderTileLogoFolder\\RuntimeBroker.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\PrintDialog\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\PrintHood\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\msedge.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\odt\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\csrss.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\csrss.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\69ddcba757bf72 | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\61a52ddc9dd915 | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792 | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\PrintDialog\RCX1BE1.tmp | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Windows\servicing\msedge.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Windows\PrintDialog\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File opened for modification | C:\Windows\PrintDialog\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| File created | C:\Windows\PrintDialog\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe
"C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Searches\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\csrss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z5SKTjEI4S.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe
"C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | a0913612.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| RU | 141.8.197.42:80 | a0913612.xsph.ru | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/224-0-0x00007FFC3DC93000-0x00007FFC3DC95000-memory.dmp
memory/224-1-0x0000000000C00000-0x0000000000DFA000-memory.dmp
memory/224-2-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/224-3-0x0000000003080000-0x000000000308E000-memory.dmp
memory/224-4-0x000000001BB10000-0x000000001BB18000-memory.dmp
memory/224-5-0x000000001C130000-0x000000001C14C000-memory.dmp
memory/224-6-0x000000001C1A0000-0x000000001C1F0000-memory.dmp
memory/224-7-0x000000001C150000-0x000000001C160000-memory.dmp
memory/224-8-0x000000001C160000-0x000000001C176000-memory.dmp
memory/224-9-0x000000001C180000-0x000000001C190000-memory.dmp
memory/224-10-0x000000001C190000-0x000000001C19C000-memory.dmp
memory/224-11-0x000000001C1F0000-0x000000001C202000-memory.dmp
memory/224-12-0x000000001C750000-0x000000001CC78000-memory.dmp
memory/224-13-0x000000001BA70000-0x000000001BA7C000-memory.dmp
memory/224-14-0x000000001BA80000-0x000000001BA8C000-memory.dmp
memory/224-15-0x000000001BA90000-0x000000001BA98000-memory.dmp
memory/224-16-0x000000001BAA0000-0x000000001BAAC000-memory.dmp
memory/224-18-0x000000001C470000-0x000000001C478000-memory.dmp
memory/224-17-0x000000001C420000-0x000000001C42E000-memory.dmp
memory/224-19-0x000000001C480000-0x000000001C48E000-memory.dmp
memory/224-20-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/224-21-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
memory/224-22-0x000000001C490000-0x000000001C49C000-memory.dmp
memory/224-23-0x000000001C4A0000-0x000000001C4AA000-memory.dmp
memory/224-24-0x000000001C4B0000-0x000000001C4BC000-memory.dmp
memory/224-27-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
C:\Windows\PrintDialog\fontdrvhost.exe
| MD5 | 2a0c47d8f5e14cfda0437c59c57fbce9 |
| SHA1 | a1c37d6d20049b2bc1a1db1d99b4f5b7fcd9c2b0 |
| SHA256 | 22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400 |
| SHA512 | 790702639348c58c99dcf4bd35d3b47bd544c7e4cd43fab90b5643f2917e3549e8e92a09d7aea3fed05766c086bdecdadf70c392289c46dc667e69cde73595d5 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duyawjnp.s2n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1704-50-0x0000017EE6BA0000-0x0000017EE6BC2000-memory.dmp
memory/224-80-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat
| MD5 | 1c3d9e244097aed5d14afb08e95fc8db |
| SHA1 | c92425e0a0db23ce80d43366761871b52dbfb916 |
| SHA256 | 55d7845b6d62bb6d645ff3944aad77c127938d40e172cd78a89aca4169455c03 |
| SHA512 | 7095d1c94442c3838985f0d5912686a6bad7d2c1533bb0ff14aaf0eb6ec06aeab469d7a8f761fb20e83ac0309ff0689850cc4fbfe684666814adf3d571e8b8d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400.exe.log
| MD5 | 655010c15ea0ca05a6e5ddcd84986b98 |
| SHA1 | 120bf7e516aeed462c07625fbfcdab5124ad05d3 |
| SHA256 | 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14 |
| SHA512 | e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437 |
memory/1076-91-0x000000001B940000-0x000000001B952000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z5SKTjEI4S.bat
| MD5 | 3e41781439e60793c55019efef3b5472 |
| SHA1 | a725e54b26c092cf2c0b0bb460230f84b0a659b2 |
| SHA256 | 53f2dfdf4067fe50460a31b591e9face735dce37f31b6baf6754c9d25498e09a |
| SHA512 | f9588872f37f7d10b1f417697efbb707a7e3806e4eab0e771afaacf4561ed0ecfa6843aafe8bfcadfc00b53a4134095994ab6155764d4994b8e5eea0db5d6ab1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4c513fe7261cbb0fd7ec5d03873693d6 |
| SHA1 | 360d69bf9f5ba328d5f039f4802b2546ac346c4b |
| SHA256 | 4dc40c8efd2b217c5552937c9fd2b7ac00bc30ac50a81526ab6655278c5a4dc9 |
| SHA512 | 8c0fbffdfc5003e06c7ae0b53052b3478fbd7e2e1b9028db12248383535d04dcfeb80069295e48c5e0ec60504f45610b7bd944b8852cada005a590660caa04d5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90355e74a38e1aab8c3a306b3021da95 |
| SHA1 | 4636ca6d7a6e4e3fc740a6a220826b5329b76e1f |
| SHA256 | 5851b1399bab7cbbbec6259b420ef8b2e6d1e8e9e03938d4ee0c04e3597c7658 |
| SHA512 | 63e2b243a807d3e9d8aea8829d695e48d1c5731ae1ba2324870ce94bbf37e74ed00d923f28c2816da338380800de840ea05e855aa870451d64d2274eb3d6a785 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 64bd6b9cd961ecbab7b4879ef63b285e |
| SHA1 | 990d65d9f4509a3ef03e55355eda87e8a30325d0 |
| SHA256 | 3b93e0887bec4c9becb9d0a235b6fbab86812fed1a365f1edfe9670255eeea86 |
| SHA512 | 7c395824d1c4de1fef1fed15987f5654eb021f9c3335294811a0ea2f83cb751e518e494dd8a89ce8fefc6f7e6aaf77430090b45c46465b6b95343bfe347e0901 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 669da47b4b9fbd5be73aa95dae38ae5b |
| SHA1 | 5118811981f4c9dcf0c4c4225824563f917bccda |
| SHA256 | 649b913bb8af13c4c91937cb2675287e92b71f9f8afa0a15575b99b7316ce0e0 |
| SHA512 | 7b554e7cbccd9896c7feb4e8f78d9e2652f04e4696d8a745e0a462b91a43044487e6d4a50dea6853624d32b76445bdf44e10e338ceb32eeeeaa6d8e5f9423b41 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8c8dac626a173014cf7951b9ddfd9a8f |
| SHA1 | 526c3bbee604116a9c0deceab407caec34f3d552 |
| SHA256 | 8e4a00f2a4f734671e00233e626fc950da4f58240f3729470ef592fa00a454a9 |
| SHA512 | 4a1705b19c25c6238c204d7793a1f550e53b14ecb2aae82c32a2dca3d4110f737275cbdfd3ce65db95caf84eeac506d20ece28c96c9114eb0c61e58467471474 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92d1b5b08e0d9151f0199f6bdb81af67 |
| SHA1 | 1f83ee48b68638867656f3ff5f61bd53f664dfdc |
| SHA256 | 5b9085d4810b609dc57b887ee42c17da88a4b47fdc8aa085545596d5c274631a |
| SHA512 | 4a7022e380529ef96ded5e2d345b3182b66f40510f0b53a7f595ed53cdf9b10ebc1dba018df5bb7a615fc2da7527fe69ab6714cbaa885d6050b3a961dfae0ba0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 06ac741759229a7560289a6696924995 |
| SHA1 | e1808432385699095a0761c601437ebe3e0ec256 |
| SHA256 | d1d2ad030d1a8aee9d8147ea16c8753c946155300339c6e63803a5f7419f9e3d |
| SHA512 | 3f97e1649f3241a64f6cc0e80e9d605c36b5ab658f766066a9326b93db3703710e2bb9e2dd1398bd45a7a854533fed4475d9a61f52d9f092fcb9307853599e85 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eaf2949b53de8c4a84042633ab9545d4 |
| SHA1 | 882fa652ca3ca05f93f383057b9937cf8bff704e |
| SHA256 | 42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50 |
| SHA512 | 5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17a7fc4d25b08f0fa6258f0301b8a8b3 |
| SHA1 | c824f5f1d0a495784ea80cec87d798b24b03374b |
| SHA256 | 3a3da1249b36ef798b2f1b91b850c198c93f6dd32dcc74d7cb959c8a3f61e8cc |
| SHA512 | b7ffa780eefc1d7dcb89e8f58b99f21e987d6b258f93aaf4dcb1a28ecfe1ab3d5943f71aa883adba65e4c17ab4107636fa161d409b30e2231d2f4d5f16816503 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 054ba81f5cfa2dbb92a50c1db20324c1 |
| SHA1 | 54f27a9116b464fee32919b2c29d02652028ab94 |
| SHA256 | e4334e1ffc45c6a87a3b54768fc19c087304dd1ea264f91440723ca387c65e8f |
| SHA512 | ab3da779af16aa847be25a3cfe591154cf68ebe966d1ceaa0d1603539974a6f35284a2a7fce38db176185a37c23b7ea2e11ffd0214f41a7f611cd3d6e5edf0ff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8f0439485bed05b2171699592ec98eb |
| SHA1 | 41f9315c43ceb0e6450e1cc303d6aeb06e72bce7 |
| SHA256 | 1eb8e6d2f67fd48d27858d348ce897664a2f21751b87fe0feaf45e390dd13ff5 |
| SHA512 | 82a018ca7c529ff9a9006942a7a90518d718c331878fd0cef5ecfb7244b1dbf78f05dc56b5329cf674613b8e293263f20cfc56ee89a1c3c4e5a5cb906e6e8db9 |