dcrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d81f411b0ec1ac7d861358e145db4ba.exe
Size

999KB
MD5

3d81f411b0ec1ac7d861358e145db4ba
SHA1

4b945e693bc455840912fc5b5f155c36501d235e
SHA256

72b49e4d9aa54af40111e35d0d4bcb4a7a313c4f2f5c5f33c3b7a093b7f4fc0e
SHA512

216c654e895ec5065b7d724f5421184e2a3445f4b801f0ebcc3ce34676e2d89240f22af079fd7a7d074af3567ee483ebe2f6b40bfea224956ff00f5d326894fe
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1960	schtasks.exe
		2712	schtasks.exe
		2564	schtasks.exe
		2208	schtasks.exe
		836	schtasks.exe
		2064	schtasks.exe
		2876	schtasks.exe
		2580	schtasks.exe
		1012	schtasks.exe
		2524	schtasks.exe
		2416	schtasks.exe
		380	schtasks.exe
		2856	schtasks.exe
		1676	schtasks.exe
		888	schtasks.exe
		2764	schtasks.exe
		2316	schtasks.exe
		940	schtasks.exe
		1804	schtasks.exe
		604	schtasks.exe
File created	C:\Windows\Temp\Crashpad\reports\101b941d020240		3d81f411b0ec1ac7d861358e145db4ba.exe
		1428	schtasks.exe
		1432	schtasks.exe
		1680	schtasks.exe
		3004	schtasks.exe
		1504	schtasks.exe
		2648	schtasks.exe
		2024	schtasks.exe
		1000	schtasks.exe
		668	schtasks.exe
		2960	schtasks.exe
		2180	schtasks.exe
		3008	schtasks.exe
		1256	schtasks.exe
		620	schtasks.exe
		1108	schtasks.exe
		2980	schtasks.exe
		1804	schtasks.exe
		896	schtasks.exe
		1156	schtasks.exe
		2748	schtasks.exe
		2604	schtasks.exe
		2772	schtasks.exe
		1300	schtasks.exe
		2628	schtasks.exe
		2468	schtasks.exe
		2764	schtasks.exe
		2184	schtasks.exe
		2828	schtasks.exe
		2388	schtasks.exe
		1148	schtasks.exe
		600	schtasks.exe
		700	schtasks.exe
		1140	schtasks.exe
		2496	schtasks.exe
		2540	schtasks.exe
		1344	schtasks.exe
		1572	schtasks.exe
		2076	schtasks.exe
		2300	schtasks.exe
		3020	schtasks.exe
		1528	schtasks.exe
		2268	schtasks.exe
		2416	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2908	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
1380	OSPPSVC.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Adobe\\spoolsv.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Start Menu\\dwm.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\MSBuild\\wininit.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\debug\\lsass.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d81f411b0ec1ac7d861358e145db4ba = "\"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\smss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Admin\\Documents\\My Videos\\smss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d81f411b0ec1ac7d861358e145db4ba = "\"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d81f411b0ec1ac7d861358e145db4ba = "\"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\L2Schemas\\csrss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Defender\\it-IT\\System.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX8F1C.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\MSBuild\RCXA107.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXA379.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXB2E2.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXB2E3.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files (x86)\Windows Sidebar\csrss.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files\Windows Defender\it-IT\27d1bcfc3c54e0	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\MSBuild\wininit.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXA37A.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\System.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX8F1D.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\csrss.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\MSBuild\RCXA175.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files\MSBuild\56085415360792	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\f3b6ecef712a24	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files\Windows Defender\it-IT\System.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files (x86)\Google\CrashReports\1610b97d3ab4a7	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXB0DD.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXB0DE.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Program Files\MSBuild\wininit.exe	3d81f411b0ec1ac7d861358e145db4ba.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\debug\lsass.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\L2Schemas\RCXA5EB.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\Vss\Writers\RCX980A.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCX9A0E.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\L2Schemas\RCXA5EC.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\debug\lsass.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\Vss\Writers\10c65744036999	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\1610b97d3ab4a7	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\debug\RCX9121.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\debug\RCX9122.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCX9A7C.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\L2Schemas\csrss.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\Vss\Writers\RCX979C.tmp	3d81f411b0ec1ac7d861358e145db4ba.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	3d81f411b0ec1ac7d861358e145db4ba.exe
File created	C:\Windows\debug\6203df4a6bafc7	3d81f411b0ec1ac7d861358e145db4ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
2004	schtasks.exe
2016	schtasks.exe
1680	schtasks.exe
2772	schtasks.exe
2356	schtasks.exe
2856	schtasks.exe
1504	schtasks.exe
2468	schtasks.exe
2828	schtasks.exe
2564	schtasks.exe
2836	schtasks.exe
280	schtasks.exe
2208	schtasks.exe
2980	schtasks.exe
2780	schtasks.exe
700	schtasks.exe
2496	schtasks.exe
2876	schtasks.exe
1804	schtasks.exe
380	schtasks.exe
2180	schtasks.exe
600	schtasks.exe
1000	schtasks.exe
2696	schtasks.exe
2076	schtasks.exe
2580	schtasks.exe
2064	schtasks.exe
2300	schtasks.exe
2616	schtasks.exe
1256	schtasks.exe
2072	schtasks.exe
2960	schtasks.exe
2388	schtasks.exe
1012	schtasks.exe
2764	schtasks.exe
896	schtasks.exe
2764	schtasks.exe
1256	schtasks.exe
2440	schtasks.exe
1572	schtasks.exe
1344	schtasks.exe
2748	schtasks.exe
3004	schtasks.exe
836	schtasks.exe
2184	schtasks.exe
1428	schtasks.exe
940	schtasks.exe
1156	schtasks.exe
2284	schtasks.exe
2024	schtasks.exe
3020	schtasks.exe
1300	schtasks.exe
2316	schtasks.exe
1676	schtasks.exe
1528	schtasks.exe
1148	schtasks.exe
1140	schtasks.exe
668	schtasks.exe
1960	schtasks.exe
2604	schtasks.exe
1804	schtasks.exe
2628	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2096	3d81f411b0ec1ac7d861358e145db4ba.exe
2096	3d81f411b0ec1ac7d861358e145db4ba.exe
2096	3d81f411b0ec1ac7d861358e145db4ba.exe
2096	3d81f411b0ec1ac7d861358e145db4ba.exe
2096	3d81f411b0ec1ac7d861358e145db4ba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	3d81f411b0ec1ac7d861358e145db4ba.exe
Token: SeDebugPrivilege	1380	OSPPSVC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2748	2096	3d81f411b0ec1ac7d861358e145db4ba.exe	108
PID 2096 wrote to memory of 2748	2096	3d81f411b0ec1ac7d861358e145db4ba.exe	108
PID 2096 wrote to memory of 2748	2096	3d81f411b0ec1ac7d861358e145db4ba.exe	108
PID 2748 wrote to memory of 2252	2748	cmd.exe	110
PID 2748 wrote to memory of 2252	2748	cmd.exe	110
PID 2748 wrote to memory of 2252	2748	cmd.exe	110
PID 2748 wrote to memory of 1380	2748	cmd.exe	111
PID 2748 wrote to memory of 1380	2748	cmd.exe	111
PID 2748 wrote to memory of 1380	2748	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe
"C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aNa3Lme8Pe.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2252
- - C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe
    "C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONSTART /tr "'C:\Windows\debug\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\ProgramData\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONLOGON /tr "'C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONSTART /tr "'C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba3" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\3d81f411b0ec1ac7d861358e145db4ba.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONSTART /tr "'C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba3" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc MINUTE /mo 6 /tr "'C:\ProgramData\Desktop\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONLOGON /tr "'C:\ProgramData\Desktop\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba" /sc ONSTART /tr "'C:\ProgramData\Desktop\3d81f411b0ec1ac7d861358e145db4ba.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3d81f411b0ec1ac7d861358e145db4ba3" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Desktop\3d81f411b0ec1ac7d861358e145db4ba.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\Users\Admin\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Program Files\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONSTART /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\wininit.exe

Filesize
999KB

MD5
c0215b3396e9263d29d8b8ad43e2c167

SHA1
290199d42e133f273fa8af901cafa9601445db9e

SHA256
9b87251ea6c60932f30c5a39ce54cc73e6f68b0a62aaee7ae2b5814e1c19071f

SHA512
372f93a6756c7b36ba443c17bcf78709ae395c61ed2c0722e1131c69077f66086a4ff712690d7909bdd10eb53c402d6b4574d9a75aa44d8bfa8dbee939c40da3

Download Submit
C:\ProgramData\Adobe\spoolsv.exe

Filesize
999KB

MD5
3d81f411b0ec1ac7d861358e145db4ba

SHA1
4b945e693bc455840912fc5b5f155c36501d235e

SHA256
72b49e4d9aa54af40111e35d0d4bcb4a7a313c4f2f5c5f33c3b7a093b7f4fc0e

SHA512
216c654e895ec5065b7d724f5421184e2a3445f4b801f0ebcc3ce34676e2d89240f22af079fd7a7d074af3567ee483ebe2f6b40bfea224956ff00f5d326894fe

Download Submit
C:\ProgramData\Adobe\spoolsv.exe

Filesize
999KB

MD5
6b39f93e65cd12b01a0a5af5bf50de36

SHA1
5ec960903284f34ad1eca0de8681ce6848e3fc34

SHA256
4d052c853451b60733a3c8acfd177d1c9b32adacb38ed4f1572f704b3311f069

SHA512
6671dfec909f7bddfca2a23edce78a4c80ba10940bd8355c6c90b42ea24837dc375b89eae9966070ac31b1d835abbcf1e17c2acad29d6d0fd600d9c795ee4f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\aNa3Lme8Pe.bat

Filesize
216B

MD5
3a7a8caaa21977e6ece0f4e2068645c5

SHA1
3500ba21e650238ba359eb034f7bef9acc2fb661

SHA256
3e06ba76fb41583907352956f24a9807aaa4d568d3d16c288b5189d7407c5a17

SHA512
d5adc2bac57e1d60a4b3e07a9f61a0007d328bc91a59b049afc88836a8db54216ffb549d7467876e4f0446a0ba9285dd705e77fc87e82e8026cee41be3a60b49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\dwm.exe

Filesize
999KB

MD5
b4e09e6a830ebfc4a1583677259ce767

SHA1
7bbf101f623586c0b1fcb645fb4dd088d648940e

SHA256
35c4fb89309bc00ecc4df463decebd48b8c21bc082e4eb43eaf771985fbe0ce3

SHA512
cbab6c6529657c25e561e2936a8f47bb5ce4299e138ceb874ad28eab7fdc145596a6743a339469484b287cf59b397213a809af5b41bef2ac346a10e9c35c4daf

Download Submit
C:\Users\Admin\Videos\smss.exe

Filesize
999KB

MD5
9efc9dcfbcc92007e5e125bb064fe731

SHA1
d2d8c3e54a7f89c655d023136977f53a08cb681f

SHA256
5c182e0cdab48f85bc51f27d9afcac40b0f154ba905dc6ced8c938ea8bde4f9b

SHA512
83edc8c16b7bd5fa41fb40bb1e7e828d2f3cecca50b3eb29d4c43b705324ef3d82a3d24b592552a4e8777261794254f1b712afeb1bc8f57831968b2677fe7a5d

Download Submit
C:\Windows\RemotePackages\RemoteDesktops\OSPPSVC.exe

Filesize
999KB

MD5
16edeea873e30606c95676ca11304bee

SHA1
8bc06c9d497a4b7a80918d40695fce9daece7e8e

SHA256
986347a1aaa9d0e1567208924bf4cdd230ce1423807ab06211e3ba7eaf4d9b82

SHA512
3cd077c1d560a6743129a775442b46f492b1c908ab93f5f6d521bfe1edc9d9934f82f4193a6cc3eaee8b13c697648ccbcdcc95f490b25d4ce0599953a2e6350a

Download Submit
C:\Windows\Vss\Writers\3d81f411b0ec1ac7d861358e145db4ba.exe

Filesize
999KB

MD5
870f5940e595217ef7a4d3dbb64796cc

SHA1
f92419fb200d4e835aec045adc167367593192e7

SHA256
b636f1389bb79e93c79484e0b5cc1faa7f0cf5f1b5b70abd7bfc2920e4007f76

SHA512
b34da40fdf33125cc88dec78c1478e54dd7c812546706e2a8fd749cfea18887f3440090f0ce68678d495ae14639bd2d24603454d5eb806dbb5a4c38ed79dc88b

Download Submit
memory/1380-285-0x0000000000BA0000-0x0000000000CA0000-memory.dmp

Filesize
1024KB

Download
memory/2096-6-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2096-4-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2096-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2096-8-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2096-7-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2096-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2096-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2096-10-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2096-192-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2096-217-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2096-281-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-1-0x0000000000990000-0x0000000000A90000-memory.dmp

Filesize
1024KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\System.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\smss.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Temp\\Crashpad\\reports\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\csrss.exe\", \"C:\\Windows\\debug\\lsass.exe\", \"C:\\ProgramData\\Adobe\\spoolsv.exe\", \"C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\Vss\\Writers\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\OSPPSVC.exe\", \"C:\\Users\\Admin\\smss.exe\", \"C:\\Users\\Admin\\Start Menu\\dwm.exe\", \"C:\\Program Files\\MSBuild\\wininit.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\csrss.exe\", \"C:\\ProgramData\\Desktop\\3d81f411b0ec1ac7d861358e145db4ba.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\Idle.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\smss.exe\", \"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\System.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\""	3d81f411b0ec1ac7d861358e145db4ba.exe