dcrat | 5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Size

1.5MB
MD5

8a3610882dcd50607fd3fa01d7a27b70
SHA1

3f3823159964a51f3e55decdbe83abaf79ba9d8a
SHA256

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781
SHA512

faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444
SSDEEP

24576:dbfESdvMj6hoGDAQsJ+N6XcHQWq3QY2SrXQLdok0OjYS4mej+T1kJCv:ZEi6GDAQORcwW5/oBjme81

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		1300	schtasks.exe
		2868	schtasks.exe
		2936	schtasks.exe
		2500	schtasks.exe
		3024	schtasks.exe
		520	schtasks.exe
		2932	schtasks.exe
		2556	schtasks.exe
		1168	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f		5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
		2708	schtasks.exe
		2576	schtasks.exe
		2980	schtasks.exe
		2412	schtasks.exe
		1820	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe		5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
		2252	schtasks.exe
		2876	schtasks.exe
		2200	schtasks.exe
		1700	schtasks.exe
		772	schtasks.exe
		1760	schtasks.exe
		1200	schtasks.exe
		808	schtasks.exe
		1216	schtasks.exe
		2588	schtasks.exe
		2256	schtasks.exe
		2000	schtasks.exe
		1656	schtasks.exe
		1696	schtasks.exe
		1620	schtasks.exe
		2052	schtasks.exe
		1744	schtasks.exe
		1008	schtasks.exe
		2872	schtasks.exe
		2752	schtasks.exe
		880	schtasks.exe
		2952	schtasks.exe
		1908	schtasks.exe
		2508	schtasks.exe
		1484	schtasks.exe
		940	schtasks.exe
		2284	schtasks.exe
		2788	schtasks.exe
		2240	schtasks.exe
		2732	schtasks.exe
		2696	schtasks.exe
		1480	schtasks.exe
		1852	schtasks.exe
		2728	schtasks.exe
		2672	schtasks.exe
		2188	schtasks.exe
		852	schtasks.exe
		988	schtasks.exe
		1808	schtasks.exe
		2288	schtasks.exe
		700	schtasks.exe
		268	schtasks.exe
		2324	schtasks.exe
		3040	schtasks.exe
		1640	schtasks.exe
		1160	schtasks.exe
		2264	schtasks.exe
		2660	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2744	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2744	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
568	powershell.exe
584	powershell.exe
2992	powershell.exe
2924	powershell.exe
1752	powershell.exe
1944	powershell.exe
1932	powershell.exe
1532	powershell.exe
2480	powershell.exe
2484	powershell.exe
2384	powershell.exe
520	powershell.exe
1156	powershell.exe
2960	powershell.exe
2528	powershell.exe
2456	powershell.exe
2344	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
2268	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Favorites\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\it-IT\\wininit.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\SchCache\\sppsvc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Resources\\Themes\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\AppPatch\\de-DE\\services.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Globalization\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Media Player\\fr-FR\\taskhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N = "\"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Program Files directory 16 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\b75386f1303e64	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Common Files\886983d96e3d3e	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Common Files\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Common Files\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Program Files\Windows Portable Devices\dedc5f73eef243	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX198C.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX1575.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX2F96.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCX3497.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Drops file in Windows directory 20 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

description	ioc	Process
File opened for modification	C:\Windows\SchCache\RCX1DD2.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\AppPatch\de-DE\RCX245A.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\AppPatch\de-DE\services.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\AppPatch\de-DE\services.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\it-IT\wininit.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\it-IT\wininit.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\SchCache\0a1fd5f707cd16	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\AppPatch\de-DE\c5b4cb5e9653cc	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\Globalization\101b941d020240	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\Resources\Themes\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\Resources\Themes\886983d96e3d3e	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\Globalization\lsm.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\it-IT\56085415360792	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\SchCache\sppsvc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\SchCache\sppsvc.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\Globalization\RCX2872.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\Resources\Themes\RCX2B02.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\Resources\Themes\csrss.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File created	C:\Windows\Globalization\lsm.exe	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
File opened for modification	C:\Windows\it-IT\RCX1B90.tmp	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2872	schtasks.exe
2288	schtasks.exe
2256	schtasks.exe
1620	schtasks.exe
852	schtasks.exe
1160	schtasks.exe
1908	schtasks.exe
1200	schtasks.exe
2412	schtasks.exe
2728	schtasks.exe
2752	schtasks.exe
2868	schtasks.exe
520	schtasks.exe
808	schtasks.exe
2672	schtasks.exe
2708	schtasks.exe
3024	schtasks.exe
1764	schtasks.exe
3040	schtasks.exe
2732	schtasks.exe
2696	schtasks.exe
2932	schtasks.exe
880	schtasks.exe
2240	schtasks.exe
2264	schtasks.exe
1008	schtasks.exe
1696	schtasks.exe
1300	schtasks.exe
2952	schtasks.exe
2508	schtasks.exe
2500	schtasks.exe
2788	schtasks.exe
2588	schtasks.exe
940	schtasks.exe
1324	schtasks.exe
2324	schtasks.exe
2188	schtasks.exe
2980	schtasks.exe
2556	schtasks.exe
1168	schtasks.exe
1820	schtasks.exe
1744	schtasks.exe
1808	schtasks.exe
1700	schtasks.exe
1480	schtasks.exe
772	schtasks.exe
268	schtasks.exe
1640	schtasks.exe
1656	schtasks.exe
2000	schtasks.exe
2052	schtasks.exe
1216	schtasks.exe
2876	schtasks.exe
1760	schtasks.exe
2200	schtasks.exe
988	schtasks.exe
1484	schtasks.exe
2252	schtasks.exe
2660	schtasks.exe
2936	schtasks.exe
700	schtasks.exe
2284	schtasks.exe
1852	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
2528	powershell.exe
2960	powershell.exe
1532	powershell.exe
1932	powershell.exe
1156	powershell.exe
2924	powershell.exe
2384	powershell.exe
2992	powershell.exe
2456	powershell.exe
568	powershell.exe
584	powershell.exe
2480	powershell.exe
2484	powershell.exe
2344	powershell.exe
520	powershell.exe
1752	powershell.exe
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2268	csrss.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.execmd.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 2960	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 1728 wrote to memory of 2960	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 1728 wrote to memory of 2960	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	96
PID 1728 wrote to memory of 2484	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 1728 wrote to memory of 2484	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 1728 wrote to memory of 2484	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	97
PID 1728 wrote to memory of 1932	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 1728 wrote to memory of 1932	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 1728 wrote to memory of 1932	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	98
PID 1728 wrote to memory of 568	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 1728 wrote to memory of 568	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 1728 wrote to memory of 568	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	100
PID 1728 wrote to memory of 584	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 1728 wrote to memory of 584	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 1728 wrote to memory of 584	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	101
PID 1728 wrote to memory of 1532	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 1728 wrote to memory of 1532	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 1728 wrote to memory of 1532	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	102
PID 1728 wrote to memory of 2992	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 1728 wrote to memory of 2992	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 1728 wrote to memory of 2992	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	103
PID 1728 wrote to memory of 2384	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 1728 wrote to memory of 2384	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 1728 wrote to memory of 2384	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	104
PID 1728 wrote to memory of 2480	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 1728 wrote to memory of 2480	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 1728 wrote to memory of 2480	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	105
PID 1728 wrote to memory of 2924	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 1728 wrote to memory of 2924	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 1728 wrote to memory of 2924	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	106
PID 1728 wrote to memory of 520	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 1728 wrote to memory of 520	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 1728 wrote to memory of 520	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	107
PID 1728 wrote to memory of 2528	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	108
PID 1728 wrote to memory of 2528	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	108
PID 1728 wrote to memory of 2528	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	108
PID 1728 wrote to memory of 1752	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	109
PID 1728 wrote to memory of 1752	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	109
PID 1728 wrote to memory of 1752	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	109
PID 1728 wrote to memory of 2456	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	110
PID 1728 wrote to memory of 2456	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	110
PID 1728 wrote to memory of 2456	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	110
PID 1728 wrote to memory of 2344	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	111
PID 1728 wrote to memory of 2344	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	111
PID 1728 wrote to memory of 2344	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	111
PID 1728 wrote to memory of 1156	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	112
PID 1728 wrote to memory of 1156	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	112
PID 1728 wrote to memory of 1156	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	112
PID 1728 wrote to memory of 1944	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	113
PID 1728 wrote to memory of 1944	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	113
PID 1728 wrote to memory of 1944	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	113
PID 1728 wrote to memory of 1980	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	130
PID 1728 wrote to memory of 1980	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	130
PID 1728 wrote to memory of 1980	1728	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe	130
PID 1980 wrote to memory of 2324	1980	cmd.exe	132
PID 1980 wrote to memory of 2324	1980	cmd.exe	132
PID 1980 wrote to memory of 2324	1980	cmd.exe	132
PID 1980 wrote to memory of 2268	1980	cmd.exe	133
PID 1980 wrote to memory of 2268	1980	cmd.exe	133
PID 1980 wrote to memory of 2268	1980	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
"C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Favorites\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PKZ08zKlyu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2324
- - C:\Windows\Resources\Themes\csrss.exe
    "C:\Windows\Resources\Themes\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FwXTIdle" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bY7tIdle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cL2kIdle" /sc ONSTART /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gQr0dllhost" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "exsNdllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sn44dllhost" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Iwxx5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "uIEC5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Yo9n5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N" /sc ONSTART /tr "'C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fmnswininit" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Aeakwininit" /sc ONLOGON /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fAwwininit" /sc ONSTART /tr "'C:\Windows\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "APEjsppsvc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7hVtsppsvc" /sc ONLOGON /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JIs8sppsvc" /sc ONSTART /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gor5lsm" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "E5SMlsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "T3Kalsm" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "E55Nsmss" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e6ujsmss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4Wx0smss" /sc ONSTART /tr "'C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "rKDeservices" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hj6Eservices" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Lv2gservices" /sc ONSTART /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wmilIdle" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mzQ7Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yEIpIdle" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "z8z4lsm" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "JVRNlsm" /sc ONLOGON /tr "'C:\Windows\Globalization\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aF2Alsm" /sc ONSTART /tr "'C:\Windows\Globalization\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AnL5csrss" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "K1umcsrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "35Oecsrss" /sc ONSTART /tr "'C:\Windows\Resources\Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9dtAdwm" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xgmzdwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "yVpMdwm" /sc ONSTART /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "r6emcsrss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "qTKocsrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hkmhcsrss" /sc ONSTART /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "xQeCcsrss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "uQLPcsrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bmkucsrss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Aktptaskhost" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dlNFtaskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "T650taskhost" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sQBJcsrss" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cqcjcsrss" /sc ONLOGON /tr "'C:\ProgramData\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iF6Qcsrss" /sc ONSTART /tr "'C:\ProgramData\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Favorites\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\smss.exe

Filesize
1.5MB

MD5
5e4eabbbc1e8be344ca096559bf3d28d

SHA1
419d0c326f36740a8d624ca9801fd42269773842

SHA256
528f57390248d46caaea4411fb76a65699daf2b7aa9117937fc2740e37090cc5

SHA512
af4fc1ba8034397a72a3fd319bcec782e1088a1ff6add3ce956020ff6c065b982f76de133f9460b832c9213b0e60230c439d725d90db01ef1f13929e0e9de058

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKZ08zKlyu.bat

Filesize
201B

MD5
8da62ef65c7609545b05b5c27c22833d

SHA1
aeaaf106fabd67b6f53430a1e0d773c5a12285c0

SHA256
10298fe43513af33d910c9128a2b817ba86ff12721ed62a4d70965f17b264673

SHA512
f28561f7cdc7af73dee1c7d8dbb90b7ac645eebf018c2b0c980c1eea9922cb109f055b9317e045d06f23cc1408e4485f7ec4522c5e554fae2ef3cbbfd62dce46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d7be19ac3b8bb0dc2e48bc738cbda268

SHA1
92ae49e68a56e44945b84e43919b9dee76a8f1ae

SHA256
cc57ae3a21e53646796812cd034c600dd1d9e9d8ac74d23ac79ee3b1ca4b1a95

SHA512
17e0876019afdd7a085858160b702e67bc0b6bc659a49bd3035f1666cb2eda8c7288017772286295c1bf25c0d23d079fc1f0c96a806ffbde666cf25b679d5aac

Download Submit
C:\Windows\Resources\Themes\csrss.exe

Filesize
1.5MB

MD5
f7622dd670f507df86e0edd3273fc8e6

SHA1
732a0fb443f1a17b38424a9411c3acd63c60de30

SHA256
edf55b034ce99038e8e7deb458abb3c08361ba2ff59c08b12e3eda14c6dbc27e

SHA512
4522f46feac9c327013c6fc9614b1bee5fac4b167feb9aca61e9468eb5120cfe70dfce3b73746a53d98ab41daa9123798623d636558dadc206e55d70275097b1

Download Submit
C:\Windows\SchCache\sppsvc.exe

Filesize
1.5MB

MD5
8a3610882dcd50607fd3fa01d7a27b70

SHA1
3f3823159964a51f3e55decdbe83abaf79ba9d8a

SHA256
5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781

SHA512
faca6c13605606e436ca4c78ce0fd2f8cbafaa5ef72f68aae880ee9528377aff69b58f5e16633ee3cf7bec4f732de86fcebafd1ba1490636d0676f9d0a32a444

Download Submit
memory/1728-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1728-6-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/1728-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1728-8-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1728-9-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1728-10-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/1728-11-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1728-12-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1728-13-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1728-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1728-4-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1728-110-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1728-123-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/1728-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-1-0x0000000000960000-0x0000000000AEC000-memory.dmp

Filesize
1.5MB

Download
memory/2268-247-0x0000000000AE0000-0x0000000000C6C000-memory.dmp

Filesize
1.5MB

Download
memory/2528-186-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2528-185-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\fr-FR\\taskhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\fr-FR\\taskhost.exe\", \"C:\\ProgramData\\Favorites\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\Idle.exe\", \"C:\\Windows\\Globalization\\lsm.exe\", \"C:\\Windows\\Resources\\Themes\\csrss.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Program Files (x86)\\Common Files\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Idle.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dllhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe\", \"C:\\Windows\\it-IT\\wininit.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\smss.exe\", \"C:\\Windows\\AppPatch\\de-DE\\services.exe\""	5f5b2304602874306bf4eb32b431d2b6e3ee7862dbc257e50c8f4c3b2f7ea781N.exe