dcrat | 4e52aa426e6c672b59a40e37d5c227f1aa3398fbf91c25c88e7825d3f68f380c

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Size

2.2MB
MD5

7fb943a550881e7c59acdbba1164cbfd
SHA1

ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe
SHA256

f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510
SHA512

a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc
SSDEEP

49152:K31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:KltZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2828	schtasks.exe
		972	schtasks.exe
		1448	schtasks.exe
		2232	schtasks.exe
		2792	schtasks.exe
		316	schtasks.exe
		2880	schtasks.exe
		2276	schtasks.exe
		2480	schtasks.exe
		856	schtasks.exe
		2356	schtasks.exe
		2164	schtasks.exe
		2892	schtasks.exe
		2008	schtasks.exe
		2984	schtasks.exe
		2340	schtasks.exe
		1648	schtasks.exe
		2664	schtasks.exe
		3056	schtasks.exe
		2776	schtasks.exe
		536	schtasks.exe
		2756	schtasks.exe
		1620	schtasks.exe
		1064	schtasks.exe
		1628	schtasks.exe
		1896	schtasks.exe
		1532	schtasks.exe
		2444	schtasks.exe
		1796	schtasks.exe
		2824	schtasks.exe
		2604	schtasks.exe
		1800	schtasks.exe
		1516	schtasks.exe
		2996	schtasks.exe
		640	schtasks.exe
		1552	schtasks.exe
		3004	schtasks.exe
		1636	schtasks.exe
		2548	schtasks.exe
		1812	schtasks.exe
		1264	schtasks.exe
		1196	schtasks.exe
		1748	schtasks.exe
		2652	schtasks.exe
		1116	schtasks.exe
		2940	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
		1528	schtasks.exe
		2912	schtasks.exe
		3024	schtasks.exe
		1920	schtasks.exe
		1436	schtasks.exe
		576	schtasks.exe
		2416	schtasks.exe
		3044	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2908	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/776-1-0x0000000000220000-0x000000000044E000-memory.dmp	dcrat
behavioral1/files/0x000500000001a3ed-38.dat	dcrat
behavioral1/files/0x000600000001c833-98.dat	dcrat
behavioral1/files/0x000700000001a48d-127.dat	dcrat
behavioral1/files/0x000700000001a3ed-138.dat	dcrat
behavioral1/files/0x000700000001a452-149.dat	dcrat
behavioral1/files/0x000900000001a46d-172.dat	dcrat
behavioral1/files/0x000600000001a489-182.dat	dcrat
behavioral1/files/0x000800000001a483-193.dat	dcrat
behavioral1/files/0x000b00000001a48f-232.dat	dcrat
behavioral1/files/0x000600000001a4a6-266.dat	dcrat
behavioral1/memory/1700-278-0x0000000000E40000-0x000000000106E000-memory.dmp	dcrat
behavioral1/memory/556-289-0x0000000000E70000-0x000000000109E000-memory.dmp	dcrat
behavioral1/memory/2620-301-0x0000000000EE0000-0x000000000110E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Executes dropped EXE 3 IoCs

pid	Process
1700	lsass.exe
556	lsass.exe
2620	lsass.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Cursors\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\security\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Desktop\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Cursors\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Desktop\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wininit.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\security\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\TAPI\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510 = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wininit.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510 = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\TAPI\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXF1B3.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files\Uninstall Information\System.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXCC67.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\f3b6ecef712a24	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files\Uninstall Information\System.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXCC68.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXE7DA.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF144.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXE7DB.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\winlogon.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXD779.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXD7E7.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\security\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCXDE62.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCXDED0.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\Cursors\winlogon.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\PLA\Reports\fr-FR\886983d96e3d3e	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\TAPI\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\Cursors\RCXD556.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\TAPI\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\Cursors\cc11b995f2a76d	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\security\886983d96e3d3e	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\PLA\Reports\fr-FR\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\TAPI\886983d96e3d3e	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\Cursors\RCXD4E8.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\security\RCXDBF0.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\TAPI\RCXE9EE.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\DigitalLocker\es-ES\winlogon.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\security\csrss.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\winlogon.exe	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\security\RCXDC5E.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File opened for modification	C:\Windows\TAPI\RCXEA5D.tmp	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
File created	C:\Windows\DigitalLocker\es-ES\cc11b995f2a76d	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1636	schtasks.exe
2444	schtasks.exe
1896	schtasks.exe
1648	schtasks.exe
2008	schtasks.exe
1516	schtasks.exe
2756	schtasks.exe
1812	schtasks.exe
972	schtasks.exe
576	schtasks.exe
1448	schtasks.exe
2940	schtasks.exe
2996	schtasks.exe
1064	schtasks.exe
2912	schtasks.exe
856	schtasks.exe
1920	schtasks.exe
1528	schtasks.exe
2776	schtasks.exe
2356	schtasks.exe
2416	schtasks.exe
2824	schtasks.exe
2340	schtasks.exe
1116	schtasks.exe
2232	schtasks.exe
3004	schtasks.exe
3044	schtasks.exe
2664	schtasks.exe
1196	schtasks.exe
1800	schtasks.exe
1628	schtasks.exe
1436	schtasks.exe
1264	schtasks.exe
2892	schtasks.exe
2652	schtasks.exe
2548	schtasks.exe
2276	schtasks.exe
3056	schtasks.exe
316	schtasks.exe
1748	schtasks.exe
640	schtasks.exe
1796	schtasks.exe
2828	schtasks.exe
2604	schtasks.exe
1532	schtasks.exe
536	schtasks.exe
2984	schtasks.exe
1552	schtasks.exe
2880	schtasks.exe
3024	schtasks.exe
1620	schtasks.exe
2480	schtasks.exe
2164	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe
1700	lsass.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Token: SeDebugPrivilege	1700	lsass.exe
Token: SeDebugPrivilege	556	lsass.exe
Token: SeDebugPrivilege	2620	lsass.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2880	776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe	87
PID 776 wrote to memory of 2880	776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe	87
PID 776 wrote to memory of 2880	776	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe	87
PID 2880 wrote to memory of 1308	2880	cmd.exe	89
PID 2880 wrote to memory of 1308	2880	cmd.exe	89
PID 2880 wrote to memory of 1308	2880	cmd.exe	89
PID 2880 wrote to memory of 1700	2880	cmd.exe	90
PID 2880 wrote to memory of 1700	2880	cmd.exe	90
PID 2880 wrote to memory of 1700	2880	cmd.exe	90
PID 1700 wrote to memory of 2244	1700	lsass.exe	91
PID 1700 wrote to memory of 2244	1700	lsass.exe	91
PID 1700 wrote to memory of 2244	1700	lsass.exe	91
PID 1700 wrote to memory of 2112	1700	lsass.exe	92
PID 1700 wrote to memory of 2112	1700	lsass.exe	92
PID 1700 wrote to memory of 2112	1700	lsass.exe	92
PID 2244 wrote to memory of 556	2244	WScript.exe	93
PID 2244 wrote to memory of 556	2244	WScript.exe	93
PID 2244 wrote to memory of 556	2244	WScript.exe	93
PID 556 wrote to memory of 3020	556	lsass.exe	94
PID 556 wrote to memory of 3020	556	lsass.exe	94
PID 556 wrote to memory of 3020	556	lsass.exe	94
PID 556 wrote to memory of 2336	556	lsass.exe	95
PID 556 wrote to memory of 2336	556	lsass.exe	95
PID 556 wrote to memory of 2336	556	lsass.exe	95
PID 3020 wrote to memory of 2620	3020	WScript.exe	96
PID 3020 wrote to memory of 2620	3020	WScript.exe	96
PID 3020 wrote to memory of 2620	3020	WScript.exe	96
PID 2620 wrote to memory of 2484	2620	lsass.exe	97
PID 2620 wrote to memory of 2484	2620	lsass.exe	97
PID 2620 wrote to memory of 2484	2620	lsass.exe	97
PID 2620 wrote to memory of 2316	2620	lsass.exe	98
PID 2620 wrote to memory of 2316	2620	lsass.exe	98
PID 2620 wrote to memory of 2316	2620	lsass.exe	98

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
"C:\Users\Admin\AppData\Local\Temp\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJyftqFqgE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1308
- - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe
    "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40931b6d-cb3b-457e-bc75-0128763d2ae4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9adf3926-0540-41df-b9b7-2006014c012b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f3d7cb-1b49-400b-b95e-b64c4ff90ca0.vbs"
        8⤵
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\174d0794-d3c3-493c-89d6-9d2e0246e1d4.vbs"
        8⤵
        
        PID:2316
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e542c76-37c4-487f-ad42-bbb176d69edb.vbs"
        6⤵
        
        PID:2336
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87832d05-bd03-4af7-be3c-f352e8ba9f26.vbs"
      4⤵
      PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510f" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510f" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Cursors\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\security\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\fr-FR\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Reports\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\System.exe

Filesize
2.2MB

MD5
b838c4e11b8b1c2b7266baba229a1b7b

SHA1
37620caf7b9067af65e14f14979d6b817abf264d

SHA256
f3702bd2cda6fe277d346377d1c0b50da6fc0b4cbf34ecc128219887c8e67871

SHA512
7aee8c48467a57fabe98820f7e9eb5dd200decc6976f506451a6ce6246fd656560d0abdb802dbfd6c0b2aac8ac1f9bf7e898ca1ba3d947ec6ab5f59f23417e74

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\RCXCE6C.tmp

Filesize
2.2MB

MD5
9ad5de9ed028ee00d1bffb10d68c7a2a

SHA1
12ce1ac444d924202c12d0e91ec988d23d1098ac

SHA256
b173feb82f05f06c56b1310c1193dd4ae206e8cb1753f38fe5313985b7f80d5c

SHA512
7bb1d9770c0ca6d2acb5d93a435c7a8af5c2f8328b46a64816f7312f51b5641f33c91a88db7b24ad9ce072e7c206b3866192434afdefe1e830b0fb05aaf4c09b

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe

Filesize
2.2MB

MD5
940693689baed58e9ff67b8a3de314b3

SHA1
f77f472d921b2ed7a70fb875700e798e14f02bad

SHA256
789e9919b327d6ee3cd53d295f83ec3150c6d784219e665c12f3782c92d6b5fb

SHA512
e27fd38fe24963248d42571c1ad2f2cb65aa2ca8d690755efbe9a50a525edaf8971884335af78c401d6c39dc2e4cadfdc780f0b166bdb155dc94caedd99eca58

Download Submit
C:\Users\Admin\AppData\Local\Temp\40931b6d-cb3b-457e-bc75-0128763d2ae4.vbs

Filesize
734B

MD5
613f6059214a6e6c52926209d1939dfd

SHA1
6770f032879b35308d77ca4e2cab2fd84f8ccbd9

SHA256
be73ce4c0e3129fb7289beab2f8ccb99cb5ecfecb274b517126ff63c91e55f6d

SHA512
a935d2cbfe97e1669d74ba27763830ce8762b29a212fe06b103b686d28021e8af152e8aa33e4509b8c88c9303c8c03986a8461f81f108d5cbdc7e8a35d4126fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\87832d05-bd03-4af7-be3c-f352e8ba9f26.vbs

Filesize
510B

MD5
9b16a10ebaa9935cb0c5b57974da4c3b

SHA1
8db5f2c823f5b3a221ff48f28233d8203df11b8e

SHA256
de99b651f98e893092f92d75701bd2d85c9d1bcfe096e3c7101667c6323ce94d

SHA512
1a0702aec5baa4807cd34f9a5a66c6d3551d273095b4de1bf2dd2166b9141f35677927ebfcd963edfbce27296acb6ee2589607bc46d8a32b7bebffa9bf801701

Download Submit
C:\Users\Admin\AppData\Local\Temp\9adf3926-0540-41df-b9b7-2006014c012b.vbs

Filesize
733B

MD5
5c955d64f58a5458800490fc6a0db2cc

SHA1
160dc665e97a4feb84a74cf8651a0b7f74d3453e

SHA256
9dda36b1ed7a9235cd00465bbb2975e4ef308c53d7f398fdda6e49df1455f99d

SHA512
61873e8798a7dd03ea92d7190f7da86cebbd2c6345e19dc5b4fe6b9537929150771f6a8c8237171b76c1717cf488dfa40c5b25fcacee4e5bf070345c789c09c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJyftqFqgE.bat

Filesize
223B

MD5
e0f15702dd42f92f24eea4a5e3b4e25b

SHA1
b19a6751cb7fa36114c64f1accd9e82304860fa5

SHA256
ddd5a5b099c1499f3dabc1d0c70356f5664a4ff653bf1c4c75bede8e12c1ac5e

SHA512
37ac05a4f6dd3a2847d27192539335218d6296f82e246c0e72aaae80374db61695a67803952bbf7f0d993fbcdd00c377943f779fb1bd9e8b7e9ddd6c6517894f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5f3d7cb-1b49-400b-b95e-b64c4ff90ca0.vbs

Filesize
734B

MD5
b4938e223c1a82f6a1809c3e66dd00a0

SHA1
db08532ecae1bbb303361c13b95980e8ec87b496

SHA256
873d866ca19afefce5ebb69bdd099a15e9b93e94707b8bc2f949533ea3dc1e88

SHA512
c1c80c21126d41a236935528a900033af7912db36dfc23ff152db78abf74b2b76dd08492c11d288f93437143a1ef6847b0e72123f136136231b5801b70ce4c49

Download Submit
C:\Users\Public\Recorded TV\Sample Media\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Filesize
2.2MB

MD5
7fb943a550881e7c59acdbba1164cbfd

SHA1
ed5bb95d080cbcc5fafaaa0949fdcdfaece4dabe

SHA256
f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510

SHA512
a4b7e40e07f1d5b24fd2bec828c433d984087ee22478f11da9a2ab4bfb42c3c4609e3d24ba19e8fd0239bfffa532c6e4526d6ff9eb7e3a3d1788cb3e5f6e66fc

Download Submit
C:\Users\Public\Recorded TV\Sample Media\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe

Filesize
2.2MB

MD5
4c5ddb638cc2631ff36a69b45cc26652

SHA1
2d31f9e279cdbf249a5063f0aa897d156cab1900

SHA256
3d4dc059e1615ce810126c9f235791fb8ea678fc534d92cf193964fd1e271962

SHA512
4a66fadc0b1598c3b30691f9445601c28db83d7d02aab1131365557903ef6fbcf4aee50c1bfda69ccc72b9be1b052631b147bf9c0d47aaf57f1c63d2e380d6dc

Download Submit
C:\Windows\Cursors\winlogon.exe

Filesize
2.2MB

MD5
991bae57a0a6d94c0cd80a918f8fc450

SHA1
75c48a3e50f7d7c41da36c0b984958449f87f0e8

SHA256
b26c6de17dec83f50a8a1e96fd4ebe1e0e15a82be395e8b549ea6a8ff6d1ccb9

SHA512
89877daa6efe98ed0e73985bde07b52036f1764231c8d7b80d4c56b2c16660cc6ae14849587574aad04ae6245db97d9234d10dfe778a41f3657e506249378745

Download Submit
C:\Windows\DigitalLocker\es-ES\winlogon.exe

Filesize
2.2MB

MD5
d9b07d7d13b3b4f6423e8bb3fdbb461a

SHA1
9b8291276b0fc41d884ded92e7a62eab53003cab

SHA256
f13ab7cd0a47cdc025457b1a68c909af03d1739d68d456b3a9315c327806d621

SHA512
8dfd5a988a6d2e908c8a3580e42758c4827590d715c370032cb6399d0d3edb03955a7b5320d9780d1baf33937fd49d8dddd692e5aa4ae9ffb54399ae44b1109e

Download Submit
C:\Windows\PLA\Reports\fr-FR\RCXDED0.tmp

Filesize
2.2MB

MD5
133cb55dea08cc0f852eef30db71b7ad

SHA1
12394d37e4a44f5acf269a3ea29c39e61f56232d

SHA256
091a675bc08acfdd69c46780aa08d6fd33fa8a3cee34c076f79781a5b843a819

SHA512
18f6ff0f13ece249967d0037015edc62453fb1e9408dd829d9ab912089ddfd37d5861c2c636ead05188f535f08733484f0dfa9d83cb32d866cbdd492179c1f54

Download Submit
C:\Windows\TAPI\csrss.exe

Filesize
2.2MB

MD5
f40e5e79b11572196b08691fda576c8a

SHA1
d4dd0108cae1ebff001929d36f8f2dd958fc33ce

SHA256
a9a4befcbfdc5b52c28fb8fb7fc87838880777dd66c74c4bab8acc9254c30eb9

SHA512
a76bd834fccb6a724cdb50e75707007e7eb8a7933e56b56dc0a83684eaf0806e93de2ccd91d795d83bb1c63166cccb9017a2237f810e848033c98b67b1ce3ab3

Download Submit
C:\Windows\security\csrss.exe

Filesize
2.2MB

MD5
b7024dcc510264fcfed5b1b5df49e543

SHA1
17ad0c175325e92c5e797b7b4a52211a96a07deb

SHA256
55cd5fd9d924f4f05792215cf1e9ac8500ae80e51bfdd208c3a61fec849a45b3

SHA512
761b6f02b1a686725fcc70a23f0dce07a5106ee0d3f9fcd5573a6be777b71925dcce2176cd2b3f983600197693890872804ec6fbf381d26492f09e7c86f7504f

Download Submit
memory/556-289-0x0000000000E70000-0x000000000109E000-memory.dmp

Filesize
2.2MB

Download
memory/776-12-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/776-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/776-19-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/776-20-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/776-21-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/776-22-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/776-23-0x0000000002440000-0x000000000244E000-memory.dmp

Filesize
56KB

Download
memory/776-25-0x0000000002460000-0x000000000246E000-memory.dmp

Filesize
56KB

Download
memory/776-24-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/776-26-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/776-27-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/776-28-0x0000000002510000-0x000000000251C000-memory.dmp

Filesize
48KB

Download
memory/776-29-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-16-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/776-15-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/776-14-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/776-13-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/776-18-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/776-11-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/776-10-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/776-9-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/776-196-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/776-211-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-8-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/776-235-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-7-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/776-6-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/776-275-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/776-1-0x0000000000220000-0x000000000044E000-memory.dmp

Filesize
2.2MB

Download
memory/776-5-0x0000000000680000-0x000000000069C000-memory.dmp

Filesize
112KB

Download
memory/776-4-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/776-3-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/776-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-278-0x0000000000E40000-0x000000000106E000-memory.dmp

Filesize
2.2MB

Download
memory/2620-301-0x0000000000EE0000-0x000000000110E000-memory.dmp

Filesize
2.2MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\", \"C:\\Windows\\TAPI\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wininit.exe\", \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files\\Uninstall Information\\System.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\", \"C:\\Windows\\TAPI\\csrss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\", \"C:\\Windows\\TAPI\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wininit.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\", \"C:\\Windows\\Cursors\\winlogon.exe\", \"C:\\Windows\\DigitalLocker\\es-ES\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\smss.exe\", \"C:\\Windows\\security\\csrss.exe\", \"C:\\Windows\\PLA\\Reports\\fr-FR\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\lsass.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\spoolsv.exe\", \"C:\\Windows\\TAPI\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wininit.exe\", \"C:\\MSOCache\\All Users\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\csrss.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\dwm.exe\", \"C:\\Users\\Public\\Desktop\\winlogon.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe\""	f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510.exe