dcrat | ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Size

3.4MB
MD5

4626a1483d82cf0be9302c305f6b54c4
SHA1

7f16e6aee9e0967b26e36b11de4654cfbffe2675
SHA256

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729
SHA512

6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54
SSDEEP

49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdpe:xZzU4c5SMXq7miAX2SNty1xPuMyHpe

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1796	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2792	schtasks.exe
1696	schtasks.exe
596	schtasks.exe
3056	schtasks.exe
1120	schtasks.exe
892	schtasks.exe
1600	schtasks.exe
572	schtasks.exe
2856	schtasks.exe
2860	schtasks.exe
2248	schtasks.exe
1740	schtasks.exe
2036	schtasks.exe
1508	schtasks.exe
1672	schtasks.exe
1044	schtasks.exe
2920	schtasks.exe
2412	schtasks.exe
2872	schtasks.exe
2168	schtasks.exe
1500	schtasks.exe
1992	schtasks.exe
1628	schtasks.exe
2012	schtasks.exe
2440	schtasks.exe
1720	schtasks.exe
2104	schtasks.exe
264	schtasks.exe
1708	schtasks.exe
1988	schtasks.exe
2696	schtasks.exe
2996	schtasks.exe
2464	schtasks.exe
2180	schtasks.exe
2568	schtasks.exe
1620	schtasks.exe
2668	schtasks.exe
2584	schtasks.exe
2388	schtasks.exe
2604	schtasks.exe
2664	schtasks.exe
2292	schtasks.exe
2692	schtasks.exe
924	schtasks.exe
3008	schtasks.exe
1368	schtasks.exe
3020	schtasks.exe
2364	schtasks.exe
1224	schtasks.exe
2932	schtasks.exe
2188	schtasks.exe
2196	schtasks.exe
2212	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2608	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2376-1-0x0000000001140000-0x00000000014AA000-memory.dmp	dcrat
C:\MSOCache\All Users\Idle.exe	dcrat
behavioral1/memory/2084-82-0x00000000000A0000-0x000000000040A000-memory.dmp	dcrat
behavioral1/memory/1716-93-0x00000000013C0000-0x000000000172A000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.exe

pid process

2084 csrss.exe
1716 csrss.exe
3056 csrss.exe
2980 csrss.exe
2856 csrss.exe

pid	process
2084	csrss.exe
1716	csrss.exe
3056	csrss.exe
2980	csrss.exe
2856	csrss.exe

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Web\\Wallpaper\\System.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Mail\\es-ES\\dwm.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729 = "\"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729 = "\"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Web\\Wallpaper\\System.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Downloads\\winlogon.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Mail\\es-ES\\dwm.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\Downloads\\winlogon.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\Idle.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.exeab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execsrss.execsrss.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 10 IoCs

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files\Windows Mail\es-ES\6cb0b6c459d5d3	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\886983d96e3d3e	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\WmiPrvSE.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\24dbde2999530e	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files\Windows Mail\es-ES\dwm.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

Drops file in Windows directory 6 IoCs

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

description	ioc	process
File created	C:\Windows\Web\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Windows\Web\54a7b081f59829	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Windows\Web\Wallpaper\System.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Windows\Web\Wallpaper\27d1bcfc3c54e0	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\csrss.exe	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\886983d96e3d3e	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1796	schtasks.exe
1696	schtasks.exe
1628	schtasks.exe
1720	schtasks.exe
2932	schtasks.exe
2388	schtasks.exe
2996	schtasks.exe
2664	schtasks.exe
1500	schtasks.exe
2196	schtasks.exe
1708	schtasks.exe
1044	schtasks.exe
2464	schtasks.exe
2872	schtasks.exe
2188	schtasks.exe
1672	schtasks.exe
1600	schtasks.exe
2104	schtasks.exe
2168	schtasks.exe
2036	schtasks.exe
3056	schtasks.exe
2696	schtasks.exe
1620	schtasks.exe
924	schtasks.exe
2668	schtasks.exe
264	schtasks.exe
1508	schtasks.exe
596	schtasks.exe
2212	schtasks.exe
572	schtasks.exe
2692	schtasks.exe
1224	schtasks.exe
2180	schtasks.exe
2440	schtasks.exe
2920	schtasks.exe
2584	schtasks.exe
1740	schtasks.exe
2856	schtasks.exe
1368	schtasks.exe
3020	schtasks.exe
2412	schtasks.exe
2568	schtasks.exe
2248	schtasks.exe
1988	schtasks.exe
3008	schtasks.exe
2792	schtasks.exe
892	schtasks.exe
1992	schtasks.exe
2292	schtasks.exe
2860	schtasks.exe
1120	schtasks.exe
2012	schtasks.exe
2364	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execsrss.exe

pid	process
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Token: SeDebugPrivilege	2084	csrss.exe
Token: SeDebugPrivilege	1716	csrss.exe
Token: SeDebugPrivilege	3056	csrss.exe
Token: SeDebugPrivilege	2980	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	process	target process
PID 2376 wrote to memory of 2816	2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe	cmd.exe
PID 2376 wrote to memory of 2816	2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe	cmd.exe
PID 2376 wrote to memory of 2816	2376	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe	cmd.exe
PID 2816 wrote to memory of 2688	2816	cmd.exe	w32tm.exe
PID 2816 wrote to memory of 2688	2816	cmd.exe	w32tm.exe
PID 2816 wrote to memory of 2688	2816	cmd.exe	w32tm.exe
PID 2816 wrote to memory of 2084	2816	cmd.exe	csrss.exe
PID 2816 wrote to memory of 2084	2816	cmd.exe	csrss.exe
PID 2816 wrote to memory of 2084	2816	cmd.exe	csrss.exe
PID 2084 wrote to memory of 2152	2084	csrss.exe	WScript.exe
PID 2084 wrote to memory of 2152	2084	csrss.exe	WScript.exe
PID 2084 wrote to memory of 2152	2084	csrss.exe	WScript.exe
PID 2084 wrote to memory of 2852	2084	csrss.exe	WScript.exe
PID 2084 wrote to memory of 2852	2084	csrss.exe	WScript.exe
PID 2084 wrote to memory of 2852	2084	csrss.exe	WScript.exe
PID 2152 wrote to memory of 1716	2152	WScript.exe	csrss.exe
PID 2152 wrote to memory of 1716	2152	WScript.exe	csrss.exe
PID 2152 wrote to memory of 1716	2152	WScript.exe	csrss.exe
PID 1716 wrote to memory of 2576	1716	csrss.exe	WScript.exe
PID 1716 wrote to memory of 2576	1716	csrss.exe	WScript.exe
PID 1716 wrote to memory of 2576	1716	csrss.exe	WScript.exe
PID 1716 wrote to memory of 2792	1716	csrss.exe	WScript.exe
PID 1716 wrote to memory of 2792	1716	csrss.exe	WScript.exe
PID 1716 wrote to memory of 2792	1716	csrss.exe	WScript.exe
PID 2576 wrote to memory of 3056	2576	WScript.exe	csrss.exe
PID 2576 wrote to memory of 3056	2576	WScript.exe	csrss.exe
PID 2576 wrote to memory of 3056	2576	WScript.exe	csrss.exe
PID 3056 wrote to memory of 1232	3056	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1232	3056	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1232	3056	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1608	3056	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1608	3056	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1608	3056	csrss.exe	WScript.exe
PID 1232 wrote to memory of 2980	1232	WScript.exe	csrss.exe
PID 1232 wrote to memory of 2980	1232	WScript.exe	csrss.exe
PID 1232 wrote to memory of 2980	1232	WScript.exe	csrss.exe
PID 2980 wrote to memory of 1808	2980	csrss.exe	WScript.exe
PID 2980 wrote to memory of 1808	2980	csrss.exe	WScript.exe
PID 2980 wrote to memory of 1808	2980	csrss.exe	WScript.exe
PID 2980 wrote to memory of 2644	2980	csrss.exe	WScript.exe
PID 2980 wrote to memory of 2644	2980	csrss.exe	WScript.exe
PID 2980 wrote to memory of 2644	2980	csrss.exe	WScript.exe
PID 1808 wrote to memory of 2856	1808	WScript.exe	csrss.exe
PID 1808 wrote to memory of 2856	1808	WScript.exe	csrss.exe
PID 1808 wrote to memory of 2856	1808	WScript.exe	csrss.exe
PID 2856 wrote to memory of 1500	2856	csrss.exe	WScript.exe
PID 2856 wrote to memory of 1500	2856	csrss.exe	WScript.exe
PID 2856 wrote to memory of 1500	2856	csrss.exe	WScript.exe
PID 2856 wrote to memory of 3036	2856	csrss.exe	WScript.exe
PID 2856 wrote to memory of 3036	2856	csrss.exe	WScript.exe
PID 2856 wrote to memory of 3036	2856	csrss.exe	WScript.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.exeab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
"C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BBrIyNhTwy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2688
- - C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe
    "C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0d08adc-82b0-46f7-820d-cf5e29fe9942.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1716
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7996ac3d-43a9-4c31-8198-ec1962050433.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\029a1742-5d24-477b-8792-1972de98450a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5737566-e93b-4f4e-ae22-d9d3b543a7a2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab79ac74-bf19-449b-a725-b023ea050012.vbs"
        12⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5183cce-c30d-4158-a639-dc37ed780f61.vbs"
        12⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\471c3cc3-4496-4177-9b13-74f0ad6dec04.vbs"
        10⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd71d23-b623-40f5-95bc-449814663309.vbs"
        8⤵
        
        PID:1608
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6377b7a0-52fd-4928-ba7f-28ea8c649f41.vbs"
        6⤵
        
        PID:2792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5135fda-64ed-4b9c-be57-958e81dbd773.vbs"
      4⤵
      PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729a" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729" /sc ONLOGON /tr "'C:\Windows\Web\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729a" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\Idle.exe

Filesize
3.4MB

MD5
4626a1483d82cf0be9302c305f6b54c4

SHA1
7f16e6aee9e0967b26e36b11de4654cfbffe2675

SHA256
ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

SHA512
6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\029a1742-5d24-477b-8792-1972de98450a.vbs

Filesize
730B

MD5
286bbb90498582eb48727f908a623b56

SHA1
03eb0c9376739af57b8edd6052b0196b54364a79

SHA256
892acd04bdbb51060c1a3306908d71ed07993abd0e65e67d6e64cc04679a7342

SHA512
0d85c06edf3263aca6b7853904846abf547d1e813014f9d429e832f4e50fc0dd9b50db3a585be5db914cedb77f44a34e1905e7b3d33aa478444cc10c81f164f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7996ac3d-43a9-4c31-8198-ec1962050433.vbs

Filesize
730B

MD5
fd5016a0ad3d32b7d10878a97962ff6b

SHA1
c809731b0fc3f0057574fbbdfd613dfe91afc248

SHA256
5291d963246c9ef9e649aaf49c721f40e128ecec8bed268b25036a268257280b

SHA512
87abd7441af5db556e78ef1eed5d802719194765ef30b07e815f714632a24a12a413db79e548fd217bd71cd776153924af0111ef6b184ccb9169e7525b72ee9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBrIyNhTwy.bat

Filesize
219B

MD5
25eb19a8a2d297704aa70abcb18b262c

SHA1
56a3a669b8c63b0c7a62fe8fcd1ab13204ba417e

SHA256
1750d73261e21ca77943f2d550e0842c7bf914d5016249eb3c000e6224d07702

SHA512
e51f5685fe0ea1af79bdf29b344f5aa7d33c31fa6d31bfb3c9d31d6d96709f81b1245ccb5972925cca1779a7789dab09cc0a9bd3d177083e2cdd44b9355fad3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab79ac74-bf19-449b-a725-b023ea050012.vbs

Filesize
730B

MD5
8dce5b085192121e7f0a7ae1a8a9a199

SHA1
637b2ee406eb82cbe2593c2961046867ad874a7e

SHA256
a4c96eaa8af9d77c1f356c49ff01eedae6d22a871768f328c8fab664fce77b62

SHA512
4bc1de09f3cf0ae5c5fd8d9035123b95a01526cfdc28e949c8cde849460a15c18ddbcc92298f5cc93c3f04d2b2a265ff7abbd4d7d267bd2888c95cc0e37cb94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0d08adc-82b0-46f7-820d-cf5e29fe9942.vbs

Filesize
730B

MD5
902f6e985122fd0d62a32d6762388ff3

SHA1
36dd3360c4cac26be74a4372742eed79625447cb

SHA256
ce5ab31f603326b74094b6a97f017ac0148780ed05dc1bd15c0012a1a0247650

SHA512
3025bfd385284ce19528d4faded0a94bb723c7f4317c93ec2d98e3f6e0b38e51d16e049ece7661ef02c6d08199e11889e9c1986f08f31b3c704373d9a48cd252

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5737566-e93b-4f4e-ae22-d9d3b543a7a2.vbs

Filesize
730B

MD5
64f2f6df2cdc52406c485d677cb99cc6

SHA1
4ef33241ba33059f8352b0e77b749c5f2f1d9ab0

SHA256
8cd34cc81c9e0214a704b71b80a052a755c0a2448b175ebab2a921ea2529e652

SHA512
8f1c74725dca9f3750b4886b2bb88901173640d15cb3fddb29d68fd12977da86878455d0ed30001461b7286f41bfb425d0948531ef6c17f3247406ce5f371ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5135fda-64ed-4b9c-be57-958e81dbd773.vbs

Filesize
506B

MD5
e5662ea18f964b8d0eb8bfd4ddf6e793

SHA1
8fe784ecf110d35cb0745f326edded2c0f84a465

SHA256
029070f37ecc0b2751a0bbc8aa5846a5052057d6ac52577255299463f206144f

SHA512
25645edfa5f09d6b1839e1025124eafd4d03ccf1cd55015c9a96588d6840a27d5202dd6c69660783fd677d0cda0956fd163648956d1a403177ad0c6aa5d3aad6

Download Submit
memory/1716-94-0x00000000005E0000-0x0000000000636000-memory.dmp

Filesize
344KB

Download
memory/1716-93-0x00000000013C0000-0x000000000172A000-memory.dmp

Filesize
3.4MB

Download
memory/2084-82-0x00000000000A0000-0x000000000040A000-memory.dmp

Filesize
3.4MB

Download
memory/2376-13-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2376-32-0x000000001B030000-0x000000001B03E000-memory.dmp

Filesize
56KB

Download
memory/2376-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2376-14-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2376-15-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2376-16-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/2376-17-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/2376-18-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2376-19-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/2376-20-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/2376-21-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/2376-22-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

Filesize
48KB

Download
memory/2376-23-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/2376-24-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download
memory/2376-25-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/2376-26-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/2376-27-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

Filesize
32KB

Download
memory/2376-28-0x000000001AFE0000-0x000000001AFEC000-memory.dmp

Filesize
48KB

Download
memory/2376-29-0x000000001B000000-0x000000001B00A000-memory.dmp

Filesize
40KB

Download
memory/2376-30-0x000000001B010000-0x000000001B01E000-memory.dmp

Filesize
56KB

Download
memory/2376-31-0x000000001B020000-0x000000001B028000-memory.dmp

Filesize
32KB

Download
memory/2376-12-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2376-33-0x000000001B040000-0x000000001B048000-memory.dmp

Filesize
32KB

Download
memory/2376-34-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2376-36-0x000000001B070000-0x000000001B07A000-memory.dmp

Filesize
40KB

Download
memory/2376-35-0x000000001B060000-0x000000001B068000-memory.dmp

Filesize
32KB

Download
memory/2376-37-0x000000001B080000-0x000000001B08C000-memory.dmp

Filesize
48KB

Download
memory/2376-11-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2376-9-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2376-79-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-10-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2376-8-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2376-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2376-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2376-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2376-4-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2376-1-0x0000000001140000-0x00000000014AA000-memory.dmp

Filesize
3.4MB

Download
memory/2376-3-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2376-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-129-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/3056-106-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dwm.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\audiodg.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\csrss.exe\", \"C:\\Windows\\Web\\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe\", \"C:\\MSOCache\\All Users\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\spoolsv.exe\", \"C:\\Users\\Admin\\sppsvc.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\WmiPrvSE.exe\", \"C:\\Windows\\Web\\Wallpaper\\System.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\lsass.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dwm.exe\", \"C:\\Users\\Admin\\Downloads\\winlogon.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\""	ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe