Analysis
-
max time kernel
186s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe
-
Size
43KB
-
MD5
972c7a84906e81d424b888eb499e0c4b
-
SHA1
b82813e52d2f2b2d8fcaba1597505a3f13f42594
-
SHA256
14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017
-
SHA512
9cead8196d85d05729a3d8b00214067647b0291d2f358b76b2996f7125667234cbbf43e2ce839d04032234d9dd155bf2b12b10abc46600102c4d90a3fe3b3d3c
-
SSDEEP
768:3PJadenAqtYQnaXH96rV2kllriFqR7Atmqfvfj7sMC72ZWzFwKF/KpplW:3PnAClrVLTrEqNAxvXsf7rzV/KpXW
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 952 csrs.exe 1760 csrs.exe 1212 csrs.exe 1316 csrs.exe 1228 csrs.exe 572 csrs.exe 1324 csrs.exe 316 csrs.exe 804 csrs.exe 1380 csrs.exe 1740 csrs.exe 1636 csrs.exe 744 csrs.exe 992 csrs.exe 1976 csrs.exe 956 csrs.exe 360 csrs.exe 1968 csrs.exe 1512 csrs.exe 1440 csrs.exe 1392 csrs.exe 1936 csrs.exe 660 csrs.exe 872 csrs.exe 1248 csrs.exe 568 csrs.exe 1848 csrs.exe 1820 csrs.exe 1792 csrs.exe 1332 csrs.exe 1268 csrs.exe 1728 csrs.exe 536 csrs.exe 1752 csrs.exe 1732 csrs.exe 1960 csrs.exe 1424 csrs.exe 2008 csrs.exe 1408 csrs.exe 904 csrs.exe 1880 csrs.exe 1652 csrs.exe 1800 csrs.exe 1568 csrs.exe 1616 csrs.exe 1012 csrs.exe 1372 csrs.exe 836 csrs.exe 2060 csrs.exe 2080 csrs.exe 2100 csrs.exe 2120 csrs.exe 2144 csrs.exe 2168 csrs.exe 2196 csrs.exe 2216 csrs.exe 2236 csrs.exe 2256 csrs.exe 2276 csrs.exe 2296 csrs.exe 2316 csrs.exe 2336 csrs.exe 2356 csrs.exe 2376 csrs.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 952 csrs.exe 952 csrs.exe 1760 csrs.exe 1760 csrs.exe 1212 csrs.exe 1212 csrs.exe 1316 csrs.exe 1316 csrs.exe 1228 csrs.exe 1228 csrs.exe 572 csrs.exe 572 csrs.exe 1324 csrs.exe 1324 csrs.exe 316 csrs.exe 316 csrs.exe 804 csrs.exe 804 csrs.exe 1380 csrs.exe 1380 csrs.exe 1740 csrs.exe 1740 csrs.exe 1636 csrs.exe 1636 csrs.exe 744 csrs.exe 744 csrs.exe 992 csrs.exe 992 csrs.exe 1976 csrs.exe 1976 csrs.exe 956 csrs.exe 956 csrs.exe 360 csrs.exe 360 csrs.exe 1968 csrs.exe 1968 csrs.exe 1512 csrs.exe 1512 csrs.exe 1440 csrs.exe 1440 csrs.exe 1392 csrs.exe 1392 csrs.exe 1936 csrs.exe 1936 csrs.exe 660 csrs.exe 660 csrs.exe 872 csrs.exe 872 csrs.exe 1248 csrs.exe 1248 csrs.exe 568 csrs.exe 568 csrs.exe 1848 csrs.exe 1848 csrs.exe 1820 csrs.exe 1820 csrs.exe 1792 csrs.exe 1792 csrs.exe 1332 csrs.exe 1332 csrs.exe 1268 csrs.exe 1268 csrs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrs = "C:\\Windows\\system32\\csrs.exe" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run csrs.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logon = "WLELogon" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StopScreenSaver = "WLEStopScreenSaver" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logon = "WLELogon" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\DllName = "csrs.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StopScreenSaver = "WLEStopScreenSaver" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Shutdown = "WLEShutdown" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" csrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Asynchronous = "0" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\DllName = "csrs.dll" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logon = "WLELogon" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Startup = "WLEStartup" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\DllName = "csrs.dll" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logoff = "WLELogoff" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\DllName = "csrs.dll" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Startup = "WLEStartup" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Asynchronous = "0" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" csrs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Asynchronous = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logoff = "WLELogoff" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\DllName = "csrs.dll" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Impersonate = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Unlock = "WLEUnlock" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Lock = "WLELock" csrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Asynchronous = "0" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Startup = "WLEStartup" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\StopScreenSaver = "WLEStopScreenSaver" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Logoff = "WLELogoff" csrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csrs\Startup = "WLEStartup" Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe csrs.exe File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe Process not Found File created C:\Windows\SysWOW64\csrs.exe csrs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 952 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 27 PID 1736 wrote to memory of 952 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 27 PID 1736 wrote to memory of 952 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 27 PID 1736 wrote to memory of 952 1736 14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe 27 PID 952 wrote to memory of 1760 952 csrs.exe 28 PID 952 wrote to memory of 1760 952 csrs.exe 28 PID 952 wrote to memory of 1760 952 csrs.exe 28 PID 952 wrote to memory of 1760 952 csrs.exe 28 PID 1760 wrote to memory of 1212 1760 csrs.exe 29 PID 1760 wrote to memory of 1212 1760 csrs.exe 29 PID 1760 wrote to memory of 1212 1760 csrs.exe 29 PID 1760 wrote to memory of 1212 1760 csrs.exe 29 PID 1212 wrote to memory of 1316 1212 csrs.exe 30 PID 1212 wrote to memory of 1316 1212 csrs.exe 30 PID 1212 wrote to memory of 1316 1212 csrs.exe 30 PID 1212 wrote to memory of 1316 1212 csrs.exe 30 PID 1316 wrote to memory of 1228 1316 csrs.exe 31 PID 1316 wrote to memory of 1228 1316 csrs.exe 31 PID 1316 wrote to memory of 1228 1316 csrs.exe 31 PID 1316 wrote to memory of 1228 1316 csrs.exe 31 PID 1228 wrote to memory of 572 1228 csrs.exe 32 PID 1228 wrote to memory of 572 1228 csrs.exe 32 PID 1228 wrote to memory of 572 1228 csrs.exe 32 PID 1228 wrote to memory of 572 1228 csrs.exe 32 PID 572 wrote to memory of 1324 572 csrs.exe 33 PID 572 wrote to memory of 1324 572 csrs.exe 33 PID 572 wrote to memory of 1324 572 csrs.exe 33 PID 572 wrote to memory of 1324 572 csrs.exe 33 PID 1324 wrote to memory of 316 1324 csrs.exe 34 PID 1324 wrote to memory of 316 1324 csrs.exe 34 PID 1324 wrote to memory of 316 1324 csrs.exe 34 PID 1324 wrote to memory of 316 1324 csrs.exe 34 PID 316 wrote to memory of 804 316 csrs.exe 35 PID 316 wrote to memory of 804 316 csrs.exe 35 PID 316 wrote to memory of 804 316 csrs.exe 35 PID 316 wrote to memory of 804 316 csrs.exe 35 PID 804 wrote to memory of 1380 804 csrs.exe 36 PID 804 wrote to memory of 1380 804 csrs.exe 36 PID 804 wrote to memory of 1380 804 csrs.exe 36 PID 804 wrote to memory of 1380 804 csrs.exe 36 PID 1380 wrote to memory of 1740 1380 csrs.exe 37 PID 1380 wrote to memory of 1740 1380 csrs.exe 37 PID 1380 wrote to memory of 1740 1380 csrs.exe 37 PID 1380 wrote to memory of 1740 1380 csrs.exe 37 PID 1740 wrote to memory of 1636 1740 csrs.exe 38 PID 1740 wrote to memory of 1636 1740 csrs.exe 38 PID 1740 wrote to memory of 1636 1740 csrs.exe 38 PID 1740 wrote to memory of 1636 1740 csrs.exe 38 PID 1636 wrote to memory of 744 1636 csrs.exe 39 PID 1636 wrote to memory of 744 1636 csrs.exe 39 PID 1636 wrote to memory of 744 1636 csrs.exe 39 PID 1636 wrote to memory of 744 1636 csrs.exe 39 PID 744 wrote to memory of 992 744 csrs.exe 40 PID 744 wrote to memory of 992 744 csrs.exe 40 PID 744 wrote to memory of 992 744 csrs.exe 40 PID 744 wrote to memory of 992 744 csrs.exe 40 PID 992 wrote to memory of 1976 992 csrs.exe 41 PID 992 wrote to memory of 1976 992 csrs.exe 41 PID 992 wrote to memory of 1976 992 csrs.exe 41 PID 992 wrote to memory of 1976 992 csrs.exe 41 PID 1976 wrote to memory of 956 1976 csrs.exe 42 PID 1976 wrote to memory of 956 1976 csrs.exe 42 PID 1976 wrote to memory of 956 1976 csrs.exe 42 PID 1976 wrote to memory of 956 1976 csrs.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe"C:\Users\Admin\AppData\Local\Temp\14909bcb7cf282cd6d04aae7359536af6bdcf18622393c04dc41246c6d74a017.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:568 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe33⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe34⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe35⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe36⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe37⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe38⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe40⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe42⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe43⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe44⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe46⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe48⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe49⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe50⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe51⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe52⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe53⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe54⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe56⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe57⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe58⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe60⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe61⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe62⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2316 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe64⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe65⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe66⤵PID:2396
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe67⤵PID:2412
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe68⤵PID:2428
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe69⤵PID:2444
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe70⤵PID:2460
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe71⤵
- Modifies WinLogon
PID:2476 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe72⤵PID:2492
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe73⤵PID:2508
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe74⤵PID:2524
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe75⤵PID:2540
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe76⤵PID:2556
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe77⤵PID:2572
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe78⤵PID:2588
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe79⤵PID:2604
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe80⤵PID:2620
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe81⤵PID:2636
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe82⤵PID:2652
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe83⤵PID:2668
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe84⤵PID:2684
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe85⤵PID:2700
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe86⤵PID:2716
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe87⤵PID:2732
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe88⤵PID:2748
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe89⤵PID:2764
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe90⤵PID:2780
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe91⤵PID:2796
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe92⤵PID:2812
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe93⤵PID:2828
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe94⤵PID:2844
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe95⤵
- Modifies WinLogon
PID:2860 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe96⤵PID:2876
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe97⤵PID:2892
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe98⤵
- Adds Run key to start application
PID:2908 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe99⤵PID:2924
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe100⤵PID:2940
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe101⤵PID:2956
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe102⤵PID:2972
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe103⤵PID:2988
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe104⤵PID:3004
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe105⤵PID:3020
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe106⤵PID:3036
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe107⤵PID:3052
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe108⤵PID:3068
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe109⤵
- Adds Run key to start application
PID:2068 -
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe110⤵PID:2108
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe111⤵PID:2132
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe112⤵PID:2204
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe113⤵PID:2244
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe114⤵PID:2284
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe115⤵PID:2324
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe116⤵PID:2364
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe117⤵PID:2424
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe118⤵PID:2488
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe119⤵PID:2552
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe120⤵PID:2616
-
C:\Windows\SysWOW64\csrs.exeC:\Windows\system32\csrs.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-