dcrat | 9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Size

1.5MB
MD5

04c9152dc94eab52c92ddf3133f3ac7b
SHA1

59be48b0636b28831dc5436e0fb75c27d3384cd6
SHA256

9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1
SHA512

6a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRo:EzhWhCXQFN+0IEuQgyiVKw

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\devmgmt\\dwm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\devmgmt\\dwm.exe\", \"C:\\Windows\\es-ES\\SppExtComObj.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\devmgmt\\dwm.exe\", \"C:\\Windows\\es-ES\\SppExtComObj.exe\", \"C:\\Windows\\System32\\PeerDistCacheProvider\\fontdrvhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\devmgmt\\dwm.exe\", \"C:\\Windows\\es-ES\\SppExtComObj.exe\", \"C:\\Windows\\System32\\PeerDistCacheProvider\\fontdrvhost.exe\", \"C:\\Users\\All Users\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\devmgmt\\dwm.exe\", \"C:\\Windows\\es-ES\\SppExtComObj.exe\", \"C:\\Windows\\System32\\PeerDistCacheProvider\\fontdrvhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Documents and Settings\\dllhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3596	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3596	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3596	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3596	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3596	schtasks.exe	82

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1804	powershell.exe
1736	powershell.exe
3044	powershell.exe
2160	powershell.exe
3516	powershell.exe
4056	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 15 IoCs

pid	Process
4032	csrss.exe
1656	csrss.exe
1432	csrss.exe
5112	csrss.exe
4476	csrss.exe
1176	csrss.exe
2572	csrss.exe
632	csrss.exe
2840	csrss.exe
5012	csrss.exe
2684	csrss.exe
3180	csrss.exe
3040	csrss.exe
4396	csrss.exe
3412	csrss.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\devmgmt\\dwm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\es-ES\\SppExtComObj.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\PeerDistCacheProvider\\fontdrvhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Documents and Settings\\dllhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\devmgmt\\dwm.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\es-ES\\SppExtComObj.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\PeerDistCacheProvider\\fontdrvhost.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\""	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\PeerDistCacheProvider\fontdrvhost.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\PeerDistCacheProvider\5b884080fd4f94	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\devmgmt\RCXB845.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\PeerDistCacheProvider\RCXBCCB.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\PeerDistCacheProvider\fontdrvhost.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\devmgmt\dwm.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\System32\devmgmt\dwm.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\System32\devmgmt\6cb0b6c459d5d3	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\SppExtComObj.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File created	C:\Windows\es-ES\e1ef82546f0b02	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\es-ES\RCXBA49.tmp	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
File opened for modification	C:\Windows\es-ES\SppExtComObj.exe	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4072	schtasks.exe
3860	schtasks.exe
3992	schtasks.exe
4088	schtasks.exe
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
1736	powershell.exe
3516	powershell.exe
3044	powershell.exe
1804	powershell.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
2160	powershell.exe
4056	powershell.exe
1736	powershell.exe
1804	powershell.exe
3044	powershell.exe
4056	powershell.exe
3516	powershell.exe
2160	powershell.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe
4032	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4032	csrss.exe
Token: SeDebugPrivilege	1656	csrss.exe
Token: SeDebugPrivilege	1432	csrss.exe
Token: SeDebugPrivilege	5112	csrss.exe
Token: SeDebugPrivilege	4476	csrss.exe
Token: SeDebugPrivilege	1176	csrss.exe
Token: SeDebugPrivilege	2572	csrss.exe
Token: SeDebugPrivilege	632	csrss.exe
Token: SeDebugPrivilege	2840	csrss.exe
Token: SeDebugPrivilege	5012	csrss.exe
Token: SeDebugPrivilege	2684	csrss.exe
Token: SeDebugPrivilege	3180	csrss.exe
Token: SeDebugPrivilege	3040	csrss.exe
Token: SeDebugPrivilege	4396	csrss.exe
Token: SeDebugPrivilege	3412	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4056	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	88
PID 4592 wrote to memory of 4056	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	88
PID 4592 wrote to memory of 1804	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	89
PID 4592 wrote to memory of 1804	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	89
PID 4592 wrote to memory of 3516	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	90
PID 4592 wrote to memory of 3516	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	90
PID 4592 wrote to memory of 2160	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	91
PID 4592 wrote to memory of 2160	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	91
PID 4592 wrote to memory of 3044	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	92
PID 4592 wrote to memory of 3044	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	92
PID 4592 wrote to memory of 1736	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	93
PID 4592 wrote to memory of 1736	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	93
PID 4592 wrote to memory of 4032	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	100
PID 4592 wrote to memory of 4032	4592	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe	100
PID 4032 wrote to memory of 4940	4032	csrss.exe	101
PID 4032 wrote to memory of 4940	4032	csrss.exe	101
PID 4032 wrote to memory of 2992	4032	csrss.exe	102
PID 4032 wrote to memory of 2992	4032	csrss.exe	102
PID 4940 wrote to memory of 1656	4940	WScript.exe	109
PID 4940 wrote to memory of 1656	4940	WScript.exe	109
PID 1656 wrote to memory of 1924	1656	csrss.exe	110
PID 1656 wrote to memory of 1924	1656	csrss.exe	110
PID 1656 wrote to memory of 364	1656	csrss.exe	111
PID 1656 wrote to memory of 364	1656	csrss.exe	111
PID 1924 wrote to memory of 1432	1924	WScript.exe	112
PID 1924 wrote to memory of 1432	1924	WScript.exe	112
PID 1432 wrote to memory of 4592	1432	csrss.exe	113
PID 1432 wrote to memory of 4592	1432	csrss.exe	113
PID 1432 wrote to memory of 2296	1432	csrss.exe	114
PID 1432 wrote to memory of 2296	1432	csrss.exe	114
PID 4592 wrote to memory of 5112	4592	WScript.exe	116
PID 4592 wrote to memory of 5112	4592	WScript.exe	116
PID 5112 wrote to memory of 3108	5112	csrss.exe	117
PID 5112 wrote to memory of 3108	5112	csrss.exe	117
PID 5112 wrote to memory of 900	5112	csrss.exe	118
PID 5112 wrote to memory of 900	5112	csrss.exe	118
PID 3108 wrote to memory of 4476	3108	WScript.exe	120
PID 3108 wrote to memory of 4476	3108	WScript.exe	120
PID 4476 wrote to memory of 732	4476	csrss.exe	121
PID 4476 wrote to memory of 732	4476	csrss.exe	121
PID 4476 wrote to memory of 5040	4476	csrss.exe	122
PID 4476 wrote to memory of 5040	4476	csrss.exe	122
PID 732 wrote to memory of 1176	732	WScript.exe	123
PID 732 wrote to memory of 1176	732	WScript.exe	123
PID 1176 wrote to memory of 1464	1176	csrss.exe	124
PID 1176 wrote to memory of 1464	1176	csrss.exe	124
PID 1176 wrote to memory of 1080	1176	csrss.exe	125
PID 1176 wrote to memory of 1080	1176	csrss.exe	125
PID 1464 wrote to memory of 2572	1464	WScript.exe	126
PID 1464 wrote to memory of 2572	1464	WScript.exe	126
PID 2572 wrote to memory of 32	2572	csrss.exe	127
PID 2572 wrote to memory of 32	2572	csrss.exe	127
PID 2572 wrote to memory of 484	2572	csrss.exe	128
PID 2572 wrote to memory of 484	2572	csrss.exe	128
PID 32 wrote to memory of 632	32	WScript.exe	129
PID 32 wrote to memory of 632	32	WScript.exe	129
PID 632 wrote to memory of 3636	632	csrss.exe	130
PID 632 wrote to memory of 3636	632	csrss.exe	130
PID 632 wrote to memory of 4612	632	csrss.exe	131
PID 632 wrote to memory of 4612	632	csrss.exe	131
PID 3636 wrote to memory of 2840	3636	WScript.exe	132
PID 3636 wrote to memory of 2840	3636	WScript.exe	132
PID 2840 wrote to memory of 3736	2840	csrss.exe	133
PID 2840 wrote to memory of 3736	2840	csrss.exe	133

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe
"C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\devmgmt\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PeerDistCacheProvider\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Users\All Users\csrss.exe
  "C:\Users\All Users\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c68f7d-6f37-427d-a400-68a5117e1c52.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\All Users\csrss.exe
      "C:\Users\All Users\csrss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c330c5d3-9f22-4a07-a586-5c7405128d1e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ad0ddb-8009-4fff-b7b7-87a66eb10f6c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b168c3-861b-455d-be3c-8dfdd54467fc.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66b34bc-2f2d-4dc8-87bd-2d121752c4ec.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6afae9c-71e0-46cf-8860-6ff8d24d0c31.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3de8c17-831e-4c99-acb8-70ed9967b07e.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aeffe1e-e20d-47a9-aca8-d382a0e46ec9.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0103b47c-1c04-45c5-bca9-8f4541f74728.vbs"
        19⤵
        
        PID:3736
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e187a9f6-7ef2-4fec-88d1-99191fe1cffe.vbs"
        21⤵
        
        PID:3500
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c0a729-4c5d-4d0a-9696-9318db3041e9.vbs"
        23⤵
        
        PID:2508
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23043ada-bfe7-4d4c-a3a7-3044bbbccc8c.vbs"
        25⤵
        
        PID:2864
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ad8c16-8fd7-47ae-bddc-ab4870b997e9.vbs"
        27⤵
        
        PID:1552
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1eba5d0-8ace-4e9b-b53f-1f7483759ea2.vbs"
        29⤵
        
        PID:1436
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cebd8de-ad49-4096-9a59-69cac2a80bde.vbs"
        31⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae940a09-ab97-4913-b4bc-cd41707e91f6.vbs"
        31⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56487cd4-3241-42ad-b6d0-5de1f7df82ca.vbs"
        29⤵
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d760ac1-f8d8-4936-9801-14eaee325acb.vbs"
        27⤵
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fef1fb5-3877-4ae1-89f1-100465c6ea7a.vbs"
        25⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8665a5e-0948-435f-a513-1d2c8bca110e.vbs"
        23⤵
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f72ae8fb-21e3-43a1-b3f3-4d6cab732029.vbs"
        21⤵
        
        PID:64
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd3a017d-436e-405f-8a8c-8c268c894311.vbs"
        19⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9dc745b-c38a-444e-a0ba-f36895e31c6a.vbs"
        17⤵
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868302e3-2fad-4a27-a5a9-00b4772d2369.vbs"
        15⤵
        
        PID:484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\570cb80d-97be-4d28-8633-33b2e74b7625.vbs"
        13⤵
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a59cc87-f8ca-405c-9abc-3046c7a476c3.vbs"
        11⤵
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41eb3b0-a106-44b4-9c00-f92ffb10dfaa.vbs"
        9⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf793964-2059-4e69-b9d7-5488fa93ad9c.vbs"
        7⤵
        
        PID:2296
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f7986f-44a9-418a-afe0-c3baf331d426.vbs"
        5⤵
        
        PID:364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c1cc5c4-b3d3-4c18-b311-6b3d4d0a322b.vbs"
    3⤵
    PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\devmgmt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\PeerDistCacheProvider\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\0103b47c-1c04-45c5-bca9-8f4541f74728.vbs

Filesize
704B

MD5
2ee7a9f62b173812cc147fa0888dec7b

SHA1
d94d02b9e7131bafbcb1a73796483de507f13afc

SHA256
593ea87f84c988bd576460eae4542e7ada9040227bf86caee39900a7d45378fc

SHA512
9747d9bdbe58325d2682e3423efd87e245a60991ea68fbc61841dd99079d91cdadfd0338068c808ac75e45b8942a8e65792866345ac968a6355a1a61fa007750

Download Submit
C:\Users\Admin\AppData\Local\Temp\15ad8c16-8fd7-47ae-bddc-ab4870b997e9.vbs

Filesize
704B

MD5
13bf09eec03724958803bc65019904e3

SHA1
2c21d00bf69d0e30f6fc68ada70452b6c32c8f62

SHA256
fdbb916637224be0a9e125ac7ca2003493970c5eefdce3e4dde44ab20b3a1a4c

SHA512
b51aacf3d12f6fa080534393fe4654af2074db7896fa5704304075717e319ff495a70b2864e5158fe739490fd527748687091d62b799f10005251d53af519050

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c1cc5c4-b3d3-4c18-b311-6b3d4d0a322b.vbs

Filesize
480B

MD5
49c50c9491eb9bb516999306252ce60e

SHA1
3e01c0165cbad765e9b9817eb13acaf23753c6f5

SHA256
6ad003fd8d21a7c9ac51e6f9f439e852955ace547f5b39f16b20704efc90fb6f

SHA512
9ca41dfee53b382419dc7af950a7720f59ae14dc9f5b7827c6c2f3df7c0ca0c12a5e8dd4305c3bdb2153efd7d4dd4bef8ea91f6c36cfe1f4436cbcdd2acc303b

Download Submit
C:\Users\Admin\AppData\Local\Temp\22c0a729-4c5d-4d0a-9696-9318db3041e9.vbs

Filesize
704B

MD5
4996e8683f3576759d24002a7bbe99dc

SHA1
a72c2c0ddaca170b59c6803ea970b9476775de3f

SHA256
8a78a250aae0605f6fabb6a3324cdfa140cd173ac9a1f4a08e01264ca701e64d

SHA512
f22066771743550e1b25edee9d147f6ae9eba5ca7b6d7ef2c8ebaddb8a89f43467d49d1369a29f89773442578163c7ba65918730138ed5473e1c09157cf83d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\23043ada-bfe7-4d4c-a3a7-3044bbbccc8c.vbs

Filesize
704B

MD5
6e86ad95f36866cdc412ef7502247c1e

SHA1
2a8ab7677401d18079b0b9b1c8feda07746648b6

SHA256
1712dda2ec054e54272e7008fd726a6b447272c0a578aa1b3eb8dae1f1bda71a

SHA512
fea7639a270121b06b1412a45a3f225eb34d50ea81a7dd6f24d1634db6c5606458703badc8cd57ec7876cdfcb56a4e0381b4372a08534a9ccae6e925423617c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ad0ddb-8009-4fff-b7b7-87a66eb10f6c.vbs

Filesize
704B

MD5
9e2f9135edf25d82e51525f164197845

SHA1
d873e36f58d3bdcf8d48b56f28970c7919fe22b1

SHA256
e6dfb63d1880f6589dac8fd39049925df8590fc1ef3524997190c24831d71a06

SHA512
d5ec2bcf81a7697e931a1de34f73de81a8c2448562aadb7ea1ed17261f78143d05ef787d60598e1a19b11096decfc2b7a083d449328ba90aa98f4cf5e4876e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\5aeffe1e-e20d-47a9-aca8-d382a0e46ec9.vbs

Filesize
703B

MD5
c31af41812092ce9b8224f840625adae

SHA1
55c2a7d00b066482277880aea6d080c90d2a6caf

SHA256
24b6f7bf9e5a2d3f183061733c3927af3ee7008925465508b2de852a0c2967c1

SHA512
daa9a6ee62b2af39f315321151a516fa35e9ec2c5163882f63912cb3da321582860d1ed7400527fddbf8a1780e0685863971bdc7d4c719227503f8704d056604

Download Submit
C:\Users\Admin\AppData\Local\Temp\79b168c3-861b-455d-be3c-8dfdd54467fc.vbs

Filesize
704B

MD5
fdf184da4f62bacb411c6047cde35f44

SHA1
fce8f719ba644b26eff294c7fc3f176fbbc547a9

SHA256
fa5421122da45624da5b567147c6ed09687183f9573c7b53a5a8abbca23b376c

SHA512
87e7f2e8f457dd539d3e7956a01eb268922a34831a9fce82a2a2f72b7c869913c6cea50af46d6d4c587fcd81b96e27c0039424627f865f29200ff1eaa400b8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fltpocj0.yre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6afae9c-71e0-46cf-8860-6ff8d24d0c31.vbs

Filesize
704B

MD5
a199da8bcb4843c248bc99f2ed485524

SHA1
81d2b722668f826bbbe60056d0e3aedf38da2d68

SHA256
09f6bfe6fb3f95ef335b5ab3281b1ab15dfbc663ed9c55ae4c86f82e8e6003e6

SHA512
5dfd5a8c792b4acf69e3505ec3bc9bcc71fadce64620c586cd92bf9dfb84f1375195f2e0444b713645d05e42927f595195da3b7adc3b40ebd315cbd6a71cc495

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5e84cdf69cef985f3e9262d5f7b720d311c7a50.exe

Filesize
1.5MB

MD5
8cca5706b34a415a024a4b1d28745816

SHA1
8fdcdd22930945875c737b755a3fa6146308686d

SHA256
51733a564c9d9d4ca89813e0e54f5bc497d6c3c98e36c09164911160624d4e49

SHA512
8302f5db096e0b7de0024463d61ae30547c1d484d02123519a7bfb5e584d69e9407c4d964bbd71c783db06988b967ccfb520157fc8c5f9d09c9d1efb5059c7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\b66b34bc-2f2d-4dc8-87bd-2d121752c4ec.vbs

Filesize
704B

MD5
e2ff20b2ef38c62d17e368400545d1c0

SHA1
033865d072505f902b22cbcf1bbc4d0643f8cd13

SHA256
03f6fec2681294e3c516e05e815f8d107273e325f2b9a7e3044f4d6ca3baecd7

SHA512
c9c321dd47d80c0f3f20213ff08db2b50951ac545506967507d274c0a3353b5bd1ca7cf0f23f844c27eb93b04663a396b21c475edd1c00a9eebd34ec59d3e3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c330c5d3-9f22-4a07-a586-5c7405128d1e.vbs

Filesize
704B

MD5
653cc66ada16823f6b7e95de270f454f

SHA1
5514a64f06fe26035118272a4cdd06d40c881f14

SHA256
70c0492feec4a1dbd48e4f6c0431996b3e5933ad808ee9de09e65838b8d4a11b

SHA512
91ee4391b663ca679e3e8b60a4b26bd4aca8487412ef2d2fe7f74cd18eef2878b1e65161d34474edeadc5d03a0b46a584f277ffbe3c5c2875c4e50b18c4f41fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1eba5d0-8ace-4e9b-b53f-1f7483759ea2.vbs

Filesize
704B

MD5
5494e89bf3447df956393a7fa41def46

SHA1
9ca1c768e7b538c61ecee83198496f30de029cf1

SHA256
2414e07a3315758b8e7ee05faf88aa22ec36214250697fdf27d06d41b2448cba

SHA512
bb583b1a101d49b464cf7e273c0f2a1f51a4b2b7751283b03b54cd5a1c9ec3168c67f9a4f93ec028c7be7d3a0c59ce0247146fe903036a734fb3aa6f07afb35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3de8c17-831e-4c99-acb8-70ed9967b07e.vbs

Filesize
704B

MD5
4ef4bd6db1f67ec87d263c831499b8ec

SHA1
0ced551689ee5554c79e672c0b4ede75b9cdc3ec

SHA256
e7adbc326d3eaf408f2289703ac88d2a43f8b76a790f0a07d2f29553fece265a

SHA512
b264b49f55ac03f89d55716ad6ea6c1b4094458583094282a4888a921a46406f3a710d23d65b5282eb77b77c70243714a9ccfa7f79dac2c90cca93deff3b35d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e187a9f6-7ef2-4fec-88d1-99191fe1cffe.vbs

Filesize
704B

MD5
f861b245f635423a223f525bc4ed2b74

SHA1
a89b32a62f62eefb18b1b6467d1a59bc2898fa19

SHA256
e77fe5bf3b35408a2d16e2565f9cda448bdc3644cb7a6a1d870e7371cd63f3b1

SHA512
cb69bf36dcb5c5347a07c0ed216c97ecda9d44e40810e1e8e3af923a29848a7746990f3fac97c8935859576c40a8ad5d789d5aae20242037da2136e9225641c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3c68f7d-6f37-427d-a400-68a5117e1c52.vbs

Filesize
704B

MD5
d7b028d8de8a7d1643d5412c4f2a35b3

SHA1
9e2595a75d20405af5e9c1fc81ed86915d2826f6

SHA256
0c8978df18939001e475cc047236263f213ca2bef395b20c01d8936151e92b8e

SHA512
7bc931b346c3b324575a0cfac5834b70cabacb2d5019f78182a4f82913f67e1c2fb2211ebec6dc232b84ce499d6ac790eaab9b3ada21dc6c259b3479a317c737

Download Submit
C:\Users\dllhost.exe

Filesize
1.5MB

MD5
04c9152dc94eab52c92ddf3133f3ac7b

SHA1
59be48b0636b28831dc5436e0fb75c27d3384cd6

SHA256
9dd421db26445019a9fb120bb04a2ddc8ee339692af14749688d007afbeee5a1

SHA512
6a8c302eb67a44a32dcc2461b64ab3193b65b8570d5f0b998b8924899943a9227fe45b71d5dc16f50674f9cff94cb477159d95670340f12f7eca8c71be8e3560

Download Submit
memory/1656-212-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/1804-124-0x0000028A7F3D0000-0x0000028A7F3F2000-memory.dmp

Filesize
136KB

Download
memory/3040-335-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/4476-246-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/4592-12-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/4592-186-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-18-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/4592-20-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/4592-16-0x000000001C270000-0x000000001C278000-memory.dmp

Filesize
32KB

Download
memory/4592-17-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/4592-15-0x000000001C260000-0x000000001C26A000-memory.dmp

Filesize
40KB

Download
memory/4592-24-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-14-0x000000001C250000-0x000000001C25C000-memory.dmp

Filesize
48KB

Download
memory/4592-13-0x000000001BC30000-0x000000001BC3A000-memory.dmp

Filesize
40KB

Download
memory/4592-0-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/4592-21-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

Filesize
32KB

Download
memory/4592-11-0x000000001BC10000-0x000000001BC20000-memory.dmp

Filesize
64KB

Download
memory/4592-10-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/4592-9-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/4592-8-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/4592-7-0x000000001BAC0000-0x000000001BACC000-memory.dmp

Filesize
48KB

Download
memory/4592-6-0x000000001BAA0000-0x000000001BAAA000-memory.dmp

Filesize
40KB

Download
memory/4592-5-0x000000001BAB0000-0x000000001BABC000-memory.dmp

Filesize
48KB

Download
memory/4592-4-0x000000001BA90000-0x000000001BAA2000-memory.dmp

Filesize
72KB

Download
memory/4592-25-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-3-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/4592-2-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-1-0x0000000000E10000-0x0000000000F8E000-memory.dmp

Filesize
1.5MB

Download