dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
26s
max time network
31s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Size

999KB
MD5

7c3748401169a78459eb9603ff69e2b2
SHA1

1a5d82422f062f1ce5d6eb3cb41c56d066f7981f
SHA256

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d
SHA512

ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12
SSDEEP

12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
1004	schtasks.exe
2116	schtasks.exe
2536	schtasks.exe
2380	schtasks.exe
2780	schtasks.exe
2012	schtasks.exe
3056	schtasks.exe
2512	schtasks.exe
300	schtasks.exe
2492	schtasks.exe
936	schtasks.exe
1072	schtasks.exe
2716	schtasks.exe
2564	schtasks.exe
2756	schtasks.exe
2376	schtasks.exe
976	schtasks.exe
1376	schtasks.exe
2104	schtasks.exe
2600	schtasks.exe
3036	schtasks.exe
3020	schtasks.exe
692	schtasks.exe
1536	schtasks.exe
2976	schtasks.exe
2612	schtasks.exe
816	schtasks.exe
1604	schtasks.exe
2976	schtasks.exe
2920	schtasks.exe
1940	schtasks.exe
1796	schtasks.exe
2248	schtasks.exe
1740	schtasks.exe
1716	schtasks.exe
1592	schtasks.exe
1552	schtasks.exe
2656	schtasks.exe
1820	schtasks.exe
2016	schtasks.exe
2580	schtasks.exe
2156	schtasks.exe
2960	schtasks.exe
2720	schtasks.exe
2100	schtasks.exe
2948	schtasks.exe
2724	schtasks.exe
1692	schtasks.exe
3000	schtasks.exe
2892	schtasks.exe
568	schtasks.exe
780	schtasks.exe
2548	schtasks.exe
1960	schtasks.exe
1944	schtasks.exe
2788	schtasks.exe
1752	schtasks.exe
2880	schtasks.exe
2668	schtasks.exe
2444	schtasks.exe
2624	schtasks.exe
536	schtasks.exe
992	schtasks.exe
1296	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2984	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2984	schtasks.exe	29

Executes dropped EXE 1 IoCs

pid	Process
1552	spoolsv.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\SendTo\\spoolsv.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default User\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Desktop\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\Start Menu\\smss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Documents\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\Cursors\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d = "\"C:\\Program Files\\Windows Mail\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\NetHood\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\ProgramData\\Templates\\winlogon.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\system\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\RCX33FA.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Windows Mail\RCX33FB.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\27d1bcfc3c54e0	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Adobe\spoolsv.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Windows Mail\9f171e4e11a5db	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCX1922.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCX1923.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCX1D9A.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX2D02.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCX1D2C.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\RCX2211.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX2D70.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Adobe\spoolsv.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\System.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\1610b97d3ab4a7	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\System.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\RCX2210.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\9f171e4e11a5db	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\Adobe\f3b6ecef712a24	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\system\csrss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\system\886983d96e3d3e	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Cursors\OSPPSVC.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Prefetch\ReadyBoot\csrss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\csrss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Cursors\1610b97d3ab4a7	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\servicing\Sessions\taskhost.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Cursors\RCX261A.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX2F84.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX2F85.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\system\RCX3871.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\system\RCX3872.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\system\csrss.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Cursors\OSPPSVC.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\Cursors\RCX2619.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
780	schtasks.exe
1376	schtasks.exe
1552	schtasks.exe
2720	schtasks.exe
2920	schtasks.exe
692	schtasks.exe
1716	schtasks.exe
1944	schtasks.exe
2012	schtasks.exe
1740	schtasks.exe
2748	schtasks.exe
2156	schtasks.exe
816	schtasks.exe
1796	schtasks.exe
2024	schtasks.exe
1924	schtasks.exe
2880	schtasks.exe
2116	schtasks.exe
2960	schtasks.exe
1604	schtasks.exe
3036	schtasks.exe
992	schtasks.exe
1536	schtasks.exe
976	schtasks.exe
2756	schtasks.exe
2192	schtasks.exe
2680	schtasks.exe
2656	schtasks.exe
1072	schtasks.exe
1752	schtasks.exe
2976	schtasks.exe
568	schtasks.exe
2104	schtasks.exe
2976	schtasks.exe
300	schtasks.exe
1692	schtasks.exe
2492	schtasks.exe
2536	schtasks.exe
2612	schtasks.exe
3056	schtasks.exe
1820	schtasks.exe
2376	schtasks.exe
2600	schtasks.exe
3020	schtasks.exe
936	schtasks.exe
2668	schtasks.exe
3000	schtasks.exe
2948	schtasks.exe
2548	schtasks.exe
1960	schtasks.exe
2380	schtasks.exe
2788	schtasks.exe
2780	schtasks.exe
756	schtasks.exe
1004	schtasks.exe
2724	schtasks.exe
2248	schtasks.exe
3012	schtasks.exe
2892	schtasks.exe
2580	schtasks.exe
2444	schtasks.exe
2100	schtasks.exe
1592	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2144	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Token: SeDebugPrivilege	1552	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1708	2144	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	104
PID 2144 wrote to memory of 1708	2144	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	104
PID 2144 wrote to memory of 1708	2144	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	104
PID 1708 wrote to memory of 2680	1708	cmd.exe	106
PID 1708 wrote to memory of 2680	1708	cmd.exe	106
PID 1708 wrote to memory of 2680	1708	cmd.exe	106
PID 1708 wrote to memory of 1552	1708	cmd.exe	107
PID 1708 wrote to memory of 1552	1708	cmd.exe	107
PID 1708 wrote to memory of 1552	1708	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
"C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\975DOJvBwA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2680
- - C:\Program Files (x86)\Adobe\spoolsv.exe
    "C:\Program Files (x86)\Adobe\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Documents\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\ProgramData\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Desktop\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d" /sc ONSTART /tr "'C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1dd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\ProgramData\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\ProgramData\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Templates\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 7 /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\system\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\spoolsv.exe

Filesize
999KB

MD5
44208298c7a37be07350df4b84c60737

SHA1
bff3634e5f3c1c10c3fd62384f639bc80c044e88

SHA256
9a815562a4f447ad028661a8829fd37d115957f8839e01abd13bee5dd5e744c5

SHA512
4efe5f230996f1f0d2e2832239ffc00a55676b48b8dbfbff4a44237ecb9608a59ba99d50d9e2fddbda55fe7e427861f9277f208d25e2237bb2670ec679a0bf48

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Filesize
999KB

MD5
7c3748401169a78459eb9603ff69e2b2

SHA1
1a5d82422f062f1ce5d6eb3cb41c56d066f7981f

SHA256
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d

SHA512
ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\1033\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Filesize
999KB

MD5
5d63337a6b116bd37bb263c4677876dc

SHA1
d773b013f7a20e13275495114c6a94e479a24dcb

SHA256
ccb3b3073d3f3f0abb03e628e03c61633d743dd6cb161d61cab6d47a2d231348

SHA512
a83b1e4884add2f79cb2cba76bcc18c5c32f1b27737d65b068146c9ca656ccb526a84b96b21e36689d654800d1d2a0f360295ec9329a5518e25e5517dd5d048d

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\winlogon.exe

Filesize
999KB

MD5
71c41139bd951af287bc0ced6ded0764

SHA1
58187eac27c6df41dcf5574fe3e032aa5be017db

SHA256
eed761d6c1880743e25b62ae7c1fb1ea0b5e6d3c2a20316f4c7f214c7e8e7243

SHA512
0b9aaa6ce522e22f49a0956bb479736eb874959a90bf93b75231e5be4e4c7a1b8e07e6fe059c83d874561a3462065f64e32441c42211d612aacac34a6ade3c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\975DOJvBwA.bat

Filesize
204B

MD5
2368338bd2490702f1d54dfed41ff329

SHA1
3c5fcd9e8c385542854fae9fd1906e203a75228c

SHA256
157f6e515f33d244adb546b98ee3a9a7856594ba4d4ce15d746b5533bbbb2405

SHA512
7aeeae055cd963dec0a4c6c25ea552796dd966742684d4cf94b69aa5b8268249343fb9de1b7424a3ba6f4e89139c539154f9d4c42aad7bcaa514521f016604e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\spoolsv.exe

Filesize
999KB

MD5
9579aa3fa63f41b8cc72f7395d23ee44

SHA1
7fc7cc09937dce2656ecb529039c7c262329d3e9

SHA256
937a541044e9d04ff6ee01c7e3297e6b67de1df8d4d787ba293f581fb165bf80

SHA512
8c062b6d1b833d7ef252d93f047570eeda5f180161fd84682799085eef1d687632a729d75b5dbd95ea7702b3e07b23c007e7854d84d268b511f79dba6561a001

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\System.exe

Filesize
999KB

MD5
095e00cc64ee84820c7dcab1a8946e21

SHA1
6f2ca1810c8db3d28e8914a407cc030d8cfbd09b

SHA256
58c1a285c9c7da574a8615ee1110d68c8b4b1e6e48f65701bfcb39e0f2fa4a7f

SHA512
4c2287e03d4c0a65277716f7a7453ef177a1140a933e010f95e1a81b7663119310ae34e960ecf4854fb88e91414fe35f0336282101442524fa6c0792291cff64

Download Submit
C:\Users\Public\Desktop\csrss.exe

Filesize
999KB

MD5
f4250454345d9031b1bbd636defca87f

SHA1
279f320a2887be7002e4edcb217b2038f36d5557

SHA256
82c8acf4febbb713df065291736f5f4c9c7641fea62956754e10b37ca04a80c0

SHA512
67d7b180f709a8c33ef0ee388056e46c66476419fb412fea88e807244f018386fb0955d0726c8574a49390914a4996295efb9bc5e51075faa899ea93e89726c0

Download Submit
memory/1552-271-0x00000000010C0000-0x00000000011C0000-memory.dmp

Filesize
1024KB

Download
memory/2144-5-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2144-191-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2144-9-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2144-8-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/2144-7-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/2144-6-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2144-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2144-10-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/2144-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2144-215-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2144-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-268-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\Program Files\\Windows Mail\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\Program Files\\Windows Mail\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\ProgramData\\Templates\\winlogon.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\Program Files\\Windows Mail\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\ProgramData\\Templates\\winlogon.exe\", \"C:\\Windows\\system\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\Program Files\\Windows Mail\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\ProgramData\\Templates\\winlogon.exe\", \"C:\\Windows\\system\\csrss.exe\", \"C:\\Users\\Default\\Start Menu\\smss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\", \"C:\\Windows\\Cursors\\OSPPSVC.exe\", \"C:\\Users\\Default User\\OSPPSVC.exe\", \"C:\\ProgramData\\Desktop\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\spoolsv.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\csrss.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\csrss.exe\", \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\System.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe\", \"C:\\Users\\Admin\\SendTo\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OSPPSVC.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\OSPPSVC.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe