dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
107s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85edcd8fbc445760ff0796aa459e3c42.exe
Size

999KB
MD5

85edcd8fbc445760ff0796aa459e3c42
SHA1

bc63d62de0f20bee25246b808bf512371e9aa875
SHA256

8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292
SHA512

a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5460	schtasks.exe
		1672	schtasks.exe
		1272	schtasks.exe
		4244	schtasks.exe
File created	C:\Windows\Cursors\6cb0b6c459d5d3		85edcd8fbc445760ff0796aa459e3c42.exe
		5932	schtasks.exe
		2328	schtasks.exe
		5316	schtasks.exe
		4664	schtasks.exe
		4952	schtasks.exe
		5624	schtasks.exe
		5840	schtasks.exe
		1724	schtasks.exe
		5516	schtasks.exe
		212	schtasks.exe
		6132	schtasks.exe
		5028	schtasks.exe
		6072	schtasks.exe
		3696	schtasks.exe
		5852	schtasks.exe
		5128	schtasks.exe
		928	schtasks.exe
		6024	schtasks.exe
		1064	schtasks.exe
		5712	schtasks.exe
		1712	schtasks.exe
		2968	schtasks.exe
		748	schtasks.exe
		5212	schtasks.exe
		2000	schtasks.exe
		3656	schtasks.exe
		636	schtasks.exe
		5824	schtasks.exe
		4000	schtasks.exe
		6116	schtasks.exe
		4832	schtasks.exe
		4940	schtasks.exe
		5484	schtasks.exe
		1840	schtasks.exe
		1992	schtasks.exe
		4368	schtasks.exe
		6004	schtasks.exe
		2928	schtasks.exe
		5768	schtasks.exe
		824	schtasks.exe
		5280	schtasks.exe
		5700	schtasks.exe
		2980	schtasks.exe
		5416	schtasks.exe
		3720	schtasks.exe
		540	schtasks.exe
		2560	schtasks.exe
		1896	schtasks.exe
		1924	schtasks.exe
		5556	schtasks.exe
		3280	schtasks.exe
		3704	schtasks.exe
		5324	schtasks.exe
		2356	schtasks.exe
		1052	schtasks.exe
		404	schtasks.exe
		2008	schtasks.exe
		6048	schtasks.exe
		1668	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 26 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5316	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6004	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5556	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5404	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5508	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5168	4560	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4560	schtasks.exe	87

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	85edcd8fbc445760ff0796aa459e3c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	85edcd8fbc445760ff0796aa459e3c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	85edcd8fbc445760ff0796aa459e3c42.exe

Executes dropped EXE 3 IoCs

pid	Process
5724	85edcd8fbc445760ff0796aa459e3c42.exe
4344	85edcd8fbc445760ff0796aa459e3c42.exe
3288	dwm.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Cursors\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85edcd8fbc445760ff0796aa459e3c42 = "\"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85edcd8fbc445760ff0796aa459e3c42 = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\fontdrvhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\MoUsoCoreWorker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\Downloads\\TextInputHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\sysmon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Public\\TextInputHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\5b884080fd4f94	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\5c17977c0b6d36	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\cc11b995f2a76d	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\dwm.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Cursors\dwm.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Cursors\RCX422B.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\debug\RuntimeBroker.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\Cursors\6cb0b6c459d5d3	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Cursors\RCX422C.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\debug\9e8d7a4ca61bd9	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\debug\RuntimeBroker.exe	85edcd8fbc445760ff0796aa459e3c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	85edcd8fbc445760ff0796aa459e3c42.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5932	schtasks.exe
6004	schtasks.exe
1724	schtasks.exe
4172	schtasks.exe
1924	schtasks.exe
1816	schtasks.exe
4376	schtasks.exe
824	schtasks.exe
5824	schtasks.exe
2884	schtasks.exe
3612	schtasks.exe
2592	schtasks.exe
6024	schtasks.exe
4664	schtasks.exe
4688	schtasks.exe
3720	schtasks.exe
6116	schtasks.exe
4000	schtasks.exe
5624	schtasks.exe
3656	schtasks.exe
540	schtasks.exe
404	schtasks.exe
5316	schtasks.exe
5460	schtasks.exe
2328	schtasks.exe
4656	schtasks.exe
4528	schtasks.exe
1672	schtasks.exe
4368	schtasks.exe
60	schtasks.exe
4136	schtasks.exe
4912	schtasks.exe
1064	schtasks.exe
5712	schtasks.exe
4244	schtasks.exe
2980	schtasks.exe
1668	schtasks.exe
5324	schtasks.exe
1272	schtasks.exe
316	schtasks.exe
4636	schtasks.exe
4288	schtasks.exe
5404	schtasks.exe
5464	schtasks.exe
2356	schtasks.exe
4672	schtasks.exe
2036	schtasks.exe
4632	schtasks.exe
5852	schtasks.exe
5028	schtasks.exe
4588	schtasks.exe
5840	schtasks.exe
1992	schtasks.exe
4992	schtasks.exe
5164	schtasks.exe
1092	schtasks.exe
4952	schtasks.exe
6132	schtasks.exe
4832	schtasks.exe
1840	schtasks.exe
3280	schtasks.exe
5128	schtasks.exe
5168	schtasks.exe
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
5520	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
5724	85edcd8fbc445760ff0796aa459e3c42.exe
4344	85edcd8fbc445760ff0796aa459e3c42.exe
4344	85edcd8fbc445760ff0796aa459e3c42.exe
4344	85edcd8fbc445760ff0796aa459e3c42.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5520	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	5724	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	4344	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	3288	dwm.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5520 wrote to memory of 5724	5520	85edcd8fbc445760ff0796aa459e3c42.exe	98
PID 5520 wrote to memory of 5724	5520	85edcd8fbc445760ff0796aa459e3c42.exe	98
PID 5724 wrote to memory of 4336	5724	85edcd8fbc445760ff0796aa459e3c42.exe	175
PID 5724 wrote to memory of 4336	5724	85edcd8fbc445760ff0796aa459e3c42.exe	175
PID 4336 wrote to memory of 4252	4336	cmd.exe	177
PID 4336 wrote to memory of 4252	4336	cmd.exe	177
PID 4336 wrote to memory of 4344	4336	cmd.exe	178
PID 4336 wrote to memory of 4344	4336	cmd.exe	178
PID 4344 wrote to memory of 3288	4344	85edcd8fbc445760ff0796aa459e3c42.exe	203
PID 4344 wrote to memory of 3288	4344	85edcd8fbc445760ff0796aa459e3c42.exe	203

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
"C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5520
- C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
  "C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hrCifyI9nN.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
      "C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Recovery\WindowsRE\dwm.exe
        
        "C:\Recovery\WindowsRE\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\87efddaf44110a3d80760c508da79ad7\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 9 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc ONLOGON /tr "'C:\Users\Default User\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc ONSTART /tr "'C:\Users\Default User\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c428" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\85edcd8fbc445760ff0796aa459e3c42.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONSTART /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 9 /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONSTART /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 14 /tr "'C:\ProgramData\ssh\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\ssh\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\ProgramData\ssh\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\ProgramData\ssh\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc MINUTE /mo 14 /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONSTART /tr "'C:\Users\Public\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Public\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3446877943-4095308722-756223633-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3446877943-4095308722-756223633-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3446877943-4095308722-756223633-1000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3446877943-4095308722-756223633-1000\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONSTART /tr "'C:\87efddaf44110a3d80760c508da79ad7\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\87efddaf44110a3d80760c508da79ad7\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc MINUTE /mo 9 /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONSTART /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\explorer.exe'" /f
1⤵
- DcRat
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c42" /sc ONSTART /tr "'C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85edcd8fbc445760ff0796aa459e3c428" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\85edcd8fbc445760ff0796aa459e3c42.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\winlogon.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONSTART /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\fontdrvhost.exe'" /f
1⤵
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc MINUTE /mo 11 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONSTART /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONSTART /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\sysmon.exe'" /f
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\87efddaf44110a3d80760c508da79ad7\smss.exe

Filesize
999KB

MD5
af33529603278f0191c9d2ddb27a5e61

SHA1
d346ec591427027e4d00e0f4c973c911507ef44a

SHA256
3f1aecddee54f32dab652cc47a7b3e7be2a6f65834edb4ed862eb586d2b6ec21

SHA512
69d26f4d7b1c5603f4e5cddd69c51abe51f062712c9ffa7327e681cea36a0797acdd146aa1aebeec8bddcd9d781b81f0824923293e44df11c083236487cdcf61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\85edcd8fbc445760ff0796aa459e3c42.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrCifyI9nN.bat

Filesize
234B

MD5
f0a033c03179d00d9132ec33200e7fef

SHA1
21396d06195833cca896f310cf703120166995b8

SHA256
7320fe6550a069195144a33c6537714bdd5f389fb579f6c5d28cf11e515e92ea

SHA512
88b08225b712c2f8967d991f7127658ca2e5d57601db8e2818a5201ff217b5fd769c2b28261d7953116304c17bcbeb6801427b61873a8e6fe7889bef6171c638

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
999KB

MD5
85edcd8fbc445760ff0796aa459e3c42

SHA1
bc63d62de0f20bee25246b808bf512371e9aa875

SHA256
8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292

SHA512
a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c

Download Submit
memory/5520-7-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/5520-8-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

Filesize
48KB

Download
memory/5520-10-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/5520-11-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

Filesize
48KB

Download
memory/5520-9-0x0000000002CB0000-0x0000000002CBE000-memory.dmp

Filesize
56KB

Download
memory/5520-6-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/5520-5-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5520-3-0x0000000001360000-0x000000000137C000-memory.dmp

Filesize
112KB

Download
memory/5520-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/5520-4-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/5520-47-0x00007FFB73AC0000-0x00007FFB74581000-memory.dmp

Filesize
10.8MB

Download
memory/5520-2-0x00007FFB73AC0000-0x00007FFB74581000-memory.dmp

Filesize
10.8MB

Download
memory/5520-0-0x00007FFB73AC3000-0x00007FFB73AC5000-memory.dmp

Filesize
8KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\fontdrvhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\fontdrvhost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\MoUsoCoreWorker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\fontdrvhost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\MoUsoCoreWorker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\sysmon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\dwm.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\smss.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Users\\Public\\Downloads\\TextInputHost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\ProgramData\\ssh\\backgroundTaskHost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\explorer.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Cookies\\fontdrvhost.exe\", \"C:\\Users\\Public\\TextInputHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\ProgramData\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\S-1-5-21-3446877943-4095308722-756223633-1000\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\conhost.exe\", \"C:\\87efddaf44110a3d80760c508da79ad7\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\explorer.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\85edcd8fbc445760ff0796aa459e3c42.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\uk-UA\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\TextConv\\en-US\\fontdrvhost.exe\", \"C:\\ebea8a0c5b7ebb8dc5b60da7\\MoUsoCoreWorker.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe