Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 10:13
Behavioral task
behavioral1
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win10v2004-20240709-en
General
-
Target
SandeLLoCHECKER_Installer (2).exe
-
Size
1.5MB
-
MD5
4c52459e292810c1197ed6f2e6486375
-
SHA1
12f8ef89e298d758b61b8104aca610ddce9b5b4e
-
SHA256
513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc
-
SHA512
47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7
-
SSDEEP
24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4300 schtasks.exe 2272 schtasks.exe 984 schtasks.exe 1272 schtasks.exe 4272 schtasks.exe 3620 schtasks.exe 380 schtasks.exe 3596 schtasks.exe 3520 schtasks.exe 2500 schtasks.exe 4044 schtasks.exe 436 schtasks.exe 3628 schtasks.exe 220 schtasks.exe 3228 schtasks.exe 4008 schtasks.exe 3144 schtasks.exe 464 schtasks.exe 4124 schtasks.exe 2824 schtasks.exe 3452 schtasks.exe 1696 schtasks.exe 3104 schtasks.exe 4044 schtasks.exe 3068 schtasks.exe 3520 schtasks.exe 3480 schtasks.exe 4972 schtasks.exe 1836 schtasks.exe 3468 schtasks.exe 4188 schtasks.exe 2304 schtasks.exe 784 schtasks.exe 772 schtasks.exe 692 schtasks.exe 4528 schtasks.exe 772 schtasks.exe 3648 schtasks.exe 3836 schtasks.exe 3512 schtasks.exe 5012 schtasks.exe 5056 schtasks.exe 3964 schtasks.exe 2124 schtasks.exe 1556 schtasks.exe 1156 schtasks.exe 2124 schtasks.exe 3824 schtasks.exe 5032 schtasks.exe 1428 schtasks.exe 3104 schtasks.exe 1400 schtasks.exe 3076 schtasks.exe 2148 schtasks.exe 2712 schtasks.exe 1460 schtasks.exe 2868 schtasks.exe 1484 schtasks.exe 3944 schtasks.exe 4648 schtasks.exe 4376 schtasks.exe 5016 schtasks.exe 1460 schtasks.exe 4064 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 44 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\", \"C:\\chainproviderBrowsersvc\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\unsecapp.exe\", \"C:\\Users\\Default\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\", \"C:\\chainproviderBrowsersvc\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\unsecapp.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\", \"C:\\chainproviderBrowsersvc\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\dwm.exe\", \"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\", \"C:\\Users\\All Users\\Start Menu\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Users\\All Users\\Package Cache\\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\\sppsvc.exe\", \"C:\\Windows\\Branding\\shellbrd\\conhost.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\", \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\Idle.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\Recovery\\WindowsRE\\surrogateweb.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\", \"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\", \"C:\\Users\\Public\\Documents\\smss.exe\", \"C:\\Program Files\\Common Files\\Services\\smss.exe\", \"C:\\chainproviderBrowsersvc\\System.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" surrogateweb.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 2184 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2184 schtasks.exe -
Processes:
resource yara_rule C:\chainproviderBrowsersvc\surrogateweb.exe dcrat behavioral2/memory/1804-13-0x0000000000650000-0x0000000000782000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exeSandeLLoCHECKER_Installer (2).exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation surrogateweb.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation SandeLLoCHECKER_Installer (2).exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exetaskhostw.exepid process 1804 surrogateweb.exe 4356 surrogateweb.exe 4828 surrogateweb.exe 4368 surrogateweb.exe 2732 surrogateweb.exe 428 taskhostw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\dotnet\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Schema\\explorer.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surrogateweb = "\"C:\\Recovery\\WindowsRE\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\chainproviderBrowsersvc\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\DigitalLocker\\en-US\\fontdrvhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\it-IT\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\StartMenuExperienceHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Start Menu\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Common Files\\Services\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\chainproviderBrowsersvc\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\dotnet\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\chainproviderBrowsersvc\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\Cursors\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Documents\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\Registration\\StartMenuExperienceHost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\SoftwareDistribution\\dwm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Google\\Chrome\\Application\\123.0.6312.106\\Installer\\winlogon.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surrogateweb = "\"C:\\Recovery\\WindowsRE\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Google\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\taskhostw.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\smss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\Downloads\\cmd.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Branding\\shellbrd\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\MSBuild\\WaaSMedicAgent.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\RuntimeBroker.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default\\Downloads\\cmd.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\chainproviderBrowsersvc\\unsecapp.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\chainproviderBrowsersvc\\taskhostw.exe\"" surrogateweb.exe -
Drops file in Program Files directory 29 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exedescription ioc process File created C:\Program Files\Common Files\Services\smss.exe surrogateweb.exe File created C:\Program Files (x86)\Google\RuntimeBroker.exe surrogateweb.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe surrogateweb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\9e8d7a4ca61bd9 surrogateweb.exe File created C:\Program Files (x86)\Internet Explorer\ea9f0e6c9e2dcd surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72 surrogateweb.exe File created C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe surrogateweb.exe File created C:\Program Files (x86)\MSBuild\c82b8037eab33d surrogateweb.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe surrogateweb.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\55b276f4edf653 surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe surrogateweb.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\9e8d7a4ca61bd9 surrogateweb.exe File created C:\Program Files (x86)\Microsoft.NET\System.exe surrogateweb.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe surrogateweb.exe File created C:\Program Files\Common Files\Services\69ddcba757bf72 surrogateweb.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe surrogateweb.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe surrogateweb.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\cc11b995f2a76d surrogateweb.exe File created C:\Program Files\dotnet\Idle.exe surrogateweb.exe File created C:\Program Files (x86)\Google\9e8d7a4ca61bd9 surrogateweb.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\55b276f4edf653 surrogateweb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe surrogateweb.exe File created C:\Program Files (x86)\Internet Explorer\taskhostw.exe surrogateweb.exe File created C:\Program Files\dotnet\6ccacd8608530f surrogateweb.exe File created C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0 surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991 surrogateweb.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe surrogateweb.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe surrogateweb.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\7a0fd90576e088 surrogateweb.exe -
Drops file in Windows directory 11 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exedescription ioc process File created C:\Windows\Cursors\WaaSMedicAgent.exe surrogateweb.exe File created C:\Windows\Cursors\c82b8037eab33d surrogateweb.exe File created C:\Windows\DigitalLocker\en-US\fontdrvhost.exe surrogateweb.exe File created C:\Windows\DigitalLocker\en-US\5b884080fd4f94 surrogateweb.exe File created C:\Windows\SoftwareDistribution\6cb0b6c459d5d3 surrogateweb.exe File created C:\Windows\Branding\shellbrd\088424020bedd6 surrogateweb.exe File created C:\Windows\it-IT\winlogon.exe surrogateweb.exe File created C:\Windows\it-IT\cc11b995f2a76d surrogateweb.exe File opened for modification C:\Windows\Cursors\WaaSMedicAgent.exe surrogateweb.exe File created C:\Windows\SoftwareDistribution\dwm.exe surrogateweb.exe File created C:\Windows\Branding\shellbrd\conhost.exe surrogateweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exesurrogateweb.exesurrogateweb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings SandeLLoCHECKER_Installer (2).exe Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings surrogateweb.exe Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings surrogateweb.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3452 schtasks.exe 636 schtasks.exe 2092 schtasks.exe 5040 schtasks.exe 784 schtasks.exe 2572 schtasks.exe 2712 schtasks.exe 5032 schtasks.exe 1156 schtasks.exe 3452 schtasks.exe 3944 schtasks.exe 220 schtasks.exe 3228 schtasks.exe 2500 schtasks.exe 1836 schtasks.exe 3144 schtasks.exe 2148 schtasks.exe 5016 schtasks.exe 3104 schtasks.exe 4712 schtasks.exe 1156 schtasks.exe 2500 schtasks.exe 1160 schtasks.exe 3836 schtasks.exe 4300 schtasks.exe 868 schtasks.exe 3468 schtasks.exe 380 schtasks.exe 4272 schtasks.exe 3076 schtasks.exe 3480 schtasks.exe 4528 schtasks.exe 4852 schtasks.exe 2864 schtasks.exe 3824 schtasks.exe 5024 schtasks.exe 552 schtasks.exe 4128 schtasks.exe 428 schtasks.exe 2668 schtasks.exe 2480 schtasks.exe 3424 schtasks.exe 2880 schtasks.exe 2092 schtasks.exe 1480 schtasks.exe 3648 schtasks.exe 3068 schtasks.exe 1556 schtasks.exe 436 schtasks.exe 464 schtasks.exe 3144 schtasks.exe 2344 schtasks.exe 3520 schtasks.exe 4648 schtasks.exe 2688 schtasks.exe 704 schtasks.exe 1428 schtasks.exe 1760 schtasks.exe 436 schtasks.exe 4168 schtasks.exe 440 schtasks.exe 528 schtasks.exe 868 schtasks.exe 4188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exetaskhostw.exepid process 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 1804 surrogateweb.exe 4356 surrogateweb.exe 4356 surrogateweb.exe 4356 surrogateweb.exe 4828 surrogateweb.exe 4828 surrogateweb.exe 4828 surrogateweb.exe 4828 surrogateweb.exe 4828 surrogateweb.exe 4368 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 2732 surrogateweb.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe 428 taskhostw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskhostw.exepid process 428 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
surrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exesurrogateweb.exetaskhostw.exedescription pid process Token: SeDebugPrivilege 1804 surrogateweb.exe Token: SeDebugPrivilege 4356 surrogateweb.exe Token: SeDebugPrivilege 4828 surrogateweb.exe Token: SeDebugPrivilege 4368 surrogateweb.exe Token: SeDebugPrivilege 2732 surrogateweb.exe Token: SeDebugPrivilege 428 taskhostw.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exeWScript.execmd.exesurrogateweb.exesurrogateweb.execmd.exesurrogateweb.execmd.exesurrogateweb.exesurrogateweb.exedescription pid process target process PID 3956 wrote to memory of 1544 3956 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 3956 wrote to memory of 1544 3956 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 3956 wrote to memory of 1544 3956 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 1544 wrote to memory of 324 1544 WScript.exe cmd.exe PID 1544 wrote to memory of 324 1544 WScript.exe cmd.exe PID 1544 wrote to memory of 324 1544 WScript.exe cmd.exe PID 324 wrote to memory of 1804 324 cmd.exe surrogateweb.exe PID 324 wrote to memory of 1804 324 cmd.exe surrogateweb.exe PID 1804 wrote to memory of 4356 1804 surrogateweb.exe surrogateweb.exe PID 1804 wrote to memory of 4356 1804 surrogateweb.exe surrogateweb.exe PID 4356 wrote to memory of 4804 4356 surrogateweb.exe cmd.exe PID 4356 wrote to memory of 4804 4356 surrogateweb.exe cmd.exe PID 4804 wrote to memory of 4832 4804 cmd.exe w32tm.exe PID 4804 wrote to memory of 4832 4804 cmd.exe w32tm.exe PID 4804 wrote to memory of 4828 4804 cmd.exe surrogateweb.exe PID 4804 wrote to memory of 4828 4804 cmd.exe surrogateweb.exe PID 4828 wrote to memory of 5096 4828 surrogateweb.exe cmd.exe PID 4828 wrote to memory of 5096 4828 surrogateweb.exe cmd.exe PID 5096 wrote to memory of 1676 5096 cmd.exe w32tm.exe PID 5096 wrote to memory of 1676 5096 cmd.exe w32tm.exe PID 5096 wrote to memory of 4368 5096 cmd.exe surrogateweb.exe PID 5096 wrote to memory of 4368 5096 cmd.exe surrogateweb.exe PID 4368 wrote to memory of 2732 4368 surrogateweb.exe surrogateweb.exe PID 4368 wrote to memory of 2732 4368 surrogateweb.exe surrogateweb.exe PID 2732 wrote to memory of 428 2732 surrogateweb.exe taskhostw.exe PID 2732 wrote to memory of 428 2732 surrogateweb.exe taskhostw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p7fNVDzLAP.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4832
-
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MihSKbgfkU.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1676
-
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\chainproviderBrowsersvc\taskhostw.exe"C:\chainproviderBrowsersvc\taskhostw.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\cmd.exe'" /f1⤵
- Process spawned unexpected child process
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\shellbrd\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogateweb" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\surrogateweb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\System.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- DcRat
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f1⤵PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\fontdrvhost.exe'" /f1⤵
- DcRat
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /f1⤵PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /f1⤵PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f1⤵PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /f1⤵PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Local\Temporary Internet Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f1⤵
- DcRat
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f1⤵PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /f1⤵PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\taskhostw.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\chainproviderBrowsersvc\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /f1⤵
- DcRat
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125B
MD5a725d394e43fa8b9e38a37aa0b81b23e
SHA196778bced9ae4b9c1515fe9d55978f6a4db9e719
SHA25692765430f6f7144ebcf6cb120d3fd1521d523a3caf32f93b3305d488fbddd7f2
SHA5125150672a35298860d45fdd39de4230ef3434455bf0aa30ae76d0cd04ca1865f455b541093da759e446707a108d90271d7b425092004ed316d1962bd5101ea752
-
Filesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
Filesize
208B
MD5ab118d33ccf7b9bea3f6bccc2521932a
SHA1ef279e828625da911fa3ff5b2f973570456e09d3
SHA25653b1393e159cdacc2e83ccc8b720a34f751147718494ece959d17bd1576559fc
SHA5123444bb4b5a73981bade42f5a5ab5d58ad80b3cdac3dd5566bae257ad925285c0958d005e9a5a83487ae422296c46e63788446606dfc6064a6a103d9cfb1ee607
-
Filesize
208B
MD5a4c1a23f9940b86c649a8f43715b000e
SHA159974e8986e8b8d0707e4e518651f457a92894be
SHA2560c8e2f5c2a05d70440a94900dae9e4b1984c2fed26932bc43d8fce3b60c04809
SHA5123ee4745b5198f730a22a1b29ab028054c8f16a3a276389b66b855aad0443d3f7e3907f5a83850e58778388e7446e317b810303e42119bec99ec30adcf27d7fa2
-
Filesize
45B
MD53c8ed674ffedfe6b8d0c064cab60006d
SHA17080e2cf3d63412726841df13a193e1e56576d7f
SHA2560a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA51226678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da
-
Filesize
207B
MD5899f8aaacb8d91de21a507edf16520e2
SHA12e81832c3da7c117b96e87a3891ca41aba7b819d
SHA2563a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA5127d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e
-
Filesize
1.2MB
MD5263dca09ac216848fa0ce9aea1f1aa04
SHA1da162b0daf02ee8cf89a011f4a2876efb4694552
SHA2562bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA5123d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d