dcrat | 77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Size

2.2MB
MD5

4456822b2b827ac37495bd31b427a67a
SHA1

201a118a38334aa4d971753dee890f2d15777c46
SHA256

77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845
SHA512

cb1e84f52bc25984422981e6c3b76ad2c3eebe895434a677ebdac9a676eeb4c46b1e1aed43161e4a3c4ba0a16da764d8f3b5d5823cb99f2d934738f1478e4213
SSDEEP

49152:631tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:6ltZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat defense_evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 52 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2516	schtasks.exe
		548	schtasks.exe
		2608	schtasks.exe
		2560	schtasks.exe
		2660	schtasks.exe
		1928	schtasks.exe
		2532	schtasks.exe
		2212	schtasks.exe
		3012	schtasks.exe
		1252	schtasks.exe
		3004	schtasks.exe
		2524	schtasks.exe
		2900	schtasks.exe
		2544	schtasks.exe
		1464	schtasks.exe
		2184	schtasks.exe
		2068	schtasks.exe
		2616	schtasks.exe
		1760	schtasks.exe
		1120	schtasks.exe
		2132	schtasks.exe
		1360	schtasks.exe
		1592	schtasks.exe
		2548	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
		2700	schtasks.exe
		264	schtasks.exe
		1636	schtasks.exe
		2892	schtasks.exe
		2932	schtasks.exe
		2740	schtasks.exe
		2024	schtasks.exe
		1804	schtasks.exe
		2336	schtasks.exe
		2552	schtasks.exe
		2624	schtasks.exe
		1700	schtasks.exe
		1616	schtasks.exe
		1596	schtasks.exe
		1752	schtasks.exe
		1092	schtasks.exe
		3016	schtasks.exe
		604	schtasks.exe
		2636	schtasks.exe
		2816	schtasks.exe
		1716	schtasks.exe
		1764	schtasks.exe
		2796	schtasks.exe
		2764	schtasks.exe
		1132	schtasks.exe
		692	schtasks.exe
		2956	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2232	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2232	schtasks.exe	28

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2276-1-0x0000000001150000-0x000000000137E000-memory.dmp	dcrat
behavioral1/files/0x0006000000017570-38.dat	dcrat
behavioral1/files/0x00100000000174b4-161.dat	dcrat
behavioral1/files/0x000a00000001870c-172.dat	dcrat
behavioral1/files/0x0008000000018d7b-183.dat	dcrat
behavioral1/files/0x0006000000019261-267.dat	dcrat
behavioral1/memory/2524-277-0x0000000000800000-0x0000000000A2E000-memory.dmp	dcrat
behavioral1/memory/1900-289-0x0000000001060000-0x000000000128E000-memory.dmp	dcrat
behavioral1/memory/2784-301-0x0000000000330000-0x000000000055E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Executes dropped EXE 3 IoCs

pid	Process
2524	taskhost.exe
1900	taskhost.exe
2784	taskhost.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845 = "\"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845 = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\PLA\\Rules\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845 = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\PLA\\Rules\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845 = "\"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\0a1fd5f707cd16	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCXB1A2.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\taskhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\c5b4cb5e9653cc	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Windows Defender\fr-FR\taskhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCXB1A1.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXBF06.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXC10C.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXC582.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\f3b6ecef712a24	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXC30F.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXBF07.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Windows Media Player\Icons\dllhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXC10B.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXC310.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXC581.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Program Files\Windows Defender\fr-FR\b75386f1303e64	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\b75386f1303e64	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\PLA\Rules\RCXAF9D.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\PLA\Rules\RCXAF9E.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXB88A.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\PLA\Rules\Idle.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\ja-JP\dllhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\PLA\Rules\Idle.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXB8F8.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\ja-JP\dllhost.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\PLA\Rules\6ccacd8608530f	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\ja-JP\RCXA98F.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\servicing\ja-JP\System.exe	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File created	C:\Windows\ja-JP\5940a34987c991	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
File opened for modification	C:\Windows\ja-JP\RCXA98E.tmp	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1700	schtasks.exe
548	schtasks.exe
2764	schtasks.exe
1252	schtasks.exe
1464	schtasks.exe
2068	schtasks.exe
2956	schtasks.exe
2532	schtasks.exe
1616	schtasks.exe
1804	schtasks.exe
1760	schtasks.exe
3012	schtasks.exe
2892	schtasks.exe
2816	schtasks.exe
2524	schtasks.exe
2184	schtasks.exe
1132	schtasks.exe
2636	schtasks.exe
2700	schtasks.exe
1120	schtasks.exe
1092	schtasks.exe
692	schtasks.exe
1360	schtasks.exe
2132	schtasks.exe
2608	schtasks.exe
2616	schtasks.exe
2624	schtasks.exe
2212	schtasks.exe
2900	schtasks.exe
604	schtasks.exe
2552	schtasks.exe
1592	schtasks.exe
2660	schtasks.exe
2560	schtasks.exe
1636	schtasks.exe
1716	schtasks.exe
2740	schtasks.exe
2544	schtasks.exe
1928	schtasks.exe
2516	schtasks.exe
1764	schtasks.exe
2796	schtasks.exe
3004	schtasks.exe
1752	schtasks.exe
2336	schtasks.exe
2548	schtasks.exe
2932	schtasks.exe
1596	schtasks.exe
264	schtasks.exe
2024	schtasks.exe
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe
2524	taskhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Token: SeDebugPrivilege	2524	taskhost.exe
Token: SeDebugPrivilege	1900	taskhost.exe
Token: SeDebugPrivilege	2784	taskhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2524	2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe	80
PID 2276 wrote to memory of 2524	2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe	80
PID 2276 wrote to memory of 2524	2276	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe	80
PID 2524 wrote to memory of 2856	2524	taskhost.exe	83
PID 2524 wrote to memory of 2856	2524	taskhost.exe	83
PID 2524 wrote to memory of 2856	2524	taskhost.exe	83
PID 2524 wrote to memory of 1488	2524	taskhost.exe	84
PID 2524 wrote to memory of 1488	2524	taskhost.exe	84
PID 2524 wrote to memory of 1488	2524	taskhost.exe	84
PID 2856 wrote to memory of 1900	2856	WScript.exe	85
PID 2856 wrote to memory of 1900	2856	WScript.exe	85
PID 2856 wrote to memory of 1900	2856	WScript.exe	85
PID 1900 wrote to memory of 2572	1900	taskhost.exe	86
PID 1900 wrote to memory of 2572	1900	taskhost.exe	86
PID 1900 wrote to memory of 2572	1900	taskhost.exe	86
PID 1900 wrote to memory of 2724	1900	taskhost.exe	87
PID 1900 wrote to memory of 2724	1900	taskhost.exe	87
PID 1900 wrote to memory of 2724	1900	taskhost.exe	87
PID 2572 wrote to memory of 2784	2572	WScript.exe	88
PID 2572 wrote to memory of 2784	2572	WScript.exe	88
PID 2572 wrote to memory of 2784	2572	WScript.exe	88
PID 2784 wrote to memory of 3048	2784	taskhost.exe	89
PID 2784 wrote to memory of 3048	2784	taskhost.exe	89
PID 2784 wrote to memory of 3048	2784	taskhost.exe	89
PID 2784 wrote to memory of 1508	2784	taskhost.exe	90
PID 2784 wrote to memory of 1508	2784	taskhost.exe	90
PID 2784 wrote to memory of 1508	2784	taskhost.exe	90

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
"C:\Users\Admin\AppData\Local\Temp\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276
- C:\Program Files\Windows Defender\fr-FR\taskhost.exe
  "C:\Program Files\Windows Defender\fr-FR\taskhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\125e04f7-9864-4fad-bed4-98cf772d581f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Program Files\Windows Defender\fr-FR\taskhost.exe
      "C:\Program Files\Windows Defender\fr-FR\taskhost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1900
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36db530b-c0e6-433e-8dc3-7b76c06a30ac.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Program Files\Windows Defender\fr-FR\taskhost.exe
        
        "C:\Program Files\Windows Defender\fr-FR\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32bb90f2-ec93-4c5d-ae20-d8cedd625077.vbs"
        7⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d241d55-9de3-48e9-9f8e-5840ce8ce58e.vbs"
        7⤵
        
        PID:1508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05770b91-aba4-4af8-a897-e43605ad62b7.vbs"
        5⤵
        
        PID:2724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b06cc6d9-d85d-43a4-9c4d-ff2291551dec.vbs"
    3⤵
    PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff92568457" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff92568457" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff92568457" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff92568457" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Rules\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dllhost.exe

Filesize
2.2MB

MD5
58d1a75b8336635c1e13048b9ff06dad

SHA1
7d45c7a1c562e5bf26d9ef809014b160afa76bde

SHA256
c8b637bc1e8ae170efcf117268973027147d829e66e062dbb40ffa2c66f91ae7

SHA512
3d0e56e1c655e3222b6921bcb380d39f2129a363ff67dc53a883b194a912bd2b18b314b9771e8f00bc7ca1191c423b488e866ca01073f429b6466320557f4f0d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe

Filesize
2.2MB

MD5
4456822b2b827ac37495bd31b427a67a

SHA1
201a118a38334aa4d971753dee890f2d15777c46

SHA256
77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845

SHA512
cb1e84f52bc25984422981e6c3b76ad2c3eebe895434a677ebdac9a676eeb4c46b1e1aed43161e4a3c4ba0a16da764d8f3b5d5823cb99f2d934738f1478e4213

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
2.2MB

MD5
c9f3618ba1b3e943f929d73ea502b282

SHA1
26f5e01544841c09b4361fc3c953ab85d3254f7b

SHA256
5f1d3ef89a763b3918cec1d3ddfa8df5c97ad9c9ef2425a62475aa62d25a3129

SHA512
f08ec879a30be7e18915cff7d14ae35913016d16cf8703dd11311a17aa1688c746c30c84546cceaa3669f7f0e0c07727d52c79067b379572471e67b195984b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\125e04f7-9864-4fad-bed4-98cf772d581f.vbs

Filesize
728B

MD5
9cb6ea20f97a4fa826f7bad548471693

SHA1
98a6edfe28d901f2b549fb4bd42e2d0528601872

SHA256
e1497e260c273e1b533bd7de1f8cba1fef634909cb1db30e25b83e8d4492a430

SHA512
8325dc7bc94850dc2733350ccd9a0779c11508c1e07d3c1791beb52babb7514b5276e5ca1c53712bf0f7efbc6ecc2a55c3d2aeb759123f79ed1265f76b3edcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\32bb90f2-ec93-4c5d-ae20-d8cedd625077.vbs

Filesize
728B

MD5
b5bc6c625641b2cc6f15f63f529e7b94

SHA1
7ccb3cbc7d1eb7f6bcdb9487e2528a5d7c5612ff

SHA256
0a46e94f2cc4e1d08a5fff1be378f4cefacb82a81edda4b44aa5d07e68d69417

SHA512
ef95cdab8069c9f174e94a66d6b26bac0ff521501b93c3a25b122c52babd32e7d251867ae504f21840878a8b72b040c72e9cb16319c33426167c33243985baae

Download Submit
C:\Users\Admin\AppData\Local\Temp\36db530b-c0e6-433e-8dc3-7b76c06a30ac.vbs

Filesize
728B

MD5
753aa7f3e57bb7dde89d730eef534ae6

SHA1
7610b8e13819ad0efa146829c33997ec9adb48ca

SHA256
69ce9d3c4bb8c7afeb75282c3d43271bd8ee1be3921768081c9dfde3767bdcad

SHA512
645d55d1daf8e9cb48473fdc56a827e0375a619717184abb480c85ffe858212926543be4c22cb2d64863a981ee21b32e50acacbdd0d11f3a368bdcf1a884106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b06cc6d9-d85d-43a4-9c4d-ff2291551dec.vbs

Filesize
504B

MD5
ce24cc15a70fd88d0be0b1c4e707c149

SHA1
95c2d03571975803d726625cbaa37ac94bb8ccb6

SHA256
17d3fc2232a701a1e2763bc6761b3d7913c26a58f9e0cb382a4de4e898f15b7b

SHA512
c469e533603b5d42515759b437767e6f12fea2626efa97a2fe134601502915cd25d97249637092e4a5995ee91463e5a5123bc944de0acd3d836635bbe51f3a67

Download Submit
C:\Users\Public\taskhost.exe

Filesize
2.2MB

MD5
9259d969ba826b30a8b09a22e2d4c045

SHA1
9050d1494fa5de023a40d27ed77594992ca4f9f0

SHA256
cb1f06d166bacec4295470a03fd6a5c394ad89d9d2217a3c64c07a6db181f75b

SHA512
b188352148bb5b54d2ae320d9b365a74e702c275e559a0c2c29f5569f3c247ef32abef3bcb3a0618e1536d94ddd6378bf61613e9051b929d40326ee2d4e75859

Download Submit
C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe

Filesize
2.2MB

MD5
80794eff35bb7052662c57c6ffbce4d7

SHA1
d425066c5e2d73c1e8d41e2d38138529017b139d

SHA256
20f1180f8173dc27729882c0360b26adc4b58fadba6ec2d7a05014415e9f7407

SHA512
56485ec3fffc2c8684eba81c0ef90c9e7332408b84f628bb17b056c3f779dfae23c1973cace8056c7a96c3662a83573cd16160c817d2f11294a56d4bca5b9d78

Download Submit
memory/1900-289-0x0000000001060000-0x000000000128E000-memory.dmp

Filesize
2.2MB

Download
memory/2276-23-0x0000000001090000-0x000000000109E000-memory.dmp

Filesize
56KB

Download
memory/2276-28-0x00000000010E0000-0x00000000010EC000-memory.dmp

Filesize
48KB

Download
memory/2276-12-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/2276-13-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2276-14-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2276-15-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/2276-16-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2276-18-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/2276-19-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2276-20-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/2276-21-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/2276-22-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download
memory/2276-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2276-24-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/2276-25-0x00000000010B0000-0x00000000010BE000-memory.dmp

Filesize
56KB

Download
memory/2276-26-0x00000000010C0000-0x00000000010CC000-memory.dmp

Filesize
48KB

Download
memory/2276-27-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/2276-11-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2276-29-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-10-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2276-9-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2276-8-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2276-7-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2276-210-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2276-235-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-258-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-6-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2276-278-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-1-0x0000000001150000-0x000000000137E000-memory.dmp

Filesize
2.2MB

Download
memory/2276-5-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/2276-4-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2276-3-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2276-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-277-0x0000000000800000-0x0000000000A2E000-memory.dmp

Filesize
2.2MB

Download
memory/2784-301-0x0000000000330000-0x000000000055E000-memory.dmp

Filesize
2.2MB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\taskhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Media Center Programs\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe\", \"C:\\Windows\\PLA\\Rules\\Idle.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\Public\\taskhost.exe\""	77416f272b5f9f86a13038caf163f2a2a7c65e4e0281e43cbd745ebff9256845.exe