dcrat | f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67f998093c11d8a104aef7a92a2d5b26.exe
Size

2.2MB
MD5

67f998093c11d8a104aef7a92a2d5b26
SHA1

cea4392bfb620e2d5b303c7f39fe68a30080a771
SHA256

f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1
SHA512

e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92
SSDEEP

49152:AsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvif:ALlK6d3/Nh/bV/Oq3Dxp2RUG

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 59 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4196	schtasks.exe
		3516	schtasks.exe
		1124	schtasks.exe
		3240	schtasks.exe
		4324	schtasks.exe
		740	schtasks.exe
		4540	schtasks.exe
		1328	schtasks.exe
		3188	schtasks.exe
		4784	schtasks.exe
		2084	schtasks.exe
		1600	schtasks.exe
		4712	schtasks.exe
		3964	schtasks.exe
		1680	schtasks.exe
		4268	schtasks.exe
		3112	schtasks.exe
		2900	schtasks.exe
		4544	schtasks.exe
		4548	schtasks.exe
		4936	schtasks.exe
		1492	schtasks.exe
		4864	schtasks.exe
		4732	schtasks.exe
		1132	schtasks.exe
		4132	schtasks.exe
		1628	schtasks.exe
File created	C:\Windows\assembly\886983d96e3d3e		67f998093c11d8a104aef7a92a2d5b26.exe
		4880	schtasks.exe
		1968	schtasks.exe
		4452	schtasks.exe
		1620	schtasks.exe
		3972	schtasks.exe
		4380	schtasks.exe
		2936	schtasks.exe
		2100	schtasks.exe
		4008	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		67f998093c11d8a104aef7a92a2d5b26.exe
		2740	schtasks.exe
		4688	schtasks.exe
		1980	schtasks.exe
		1740	schtasks.exe
		2028	schtasks.exe
		60	schtasks.exe
		4808	schtasks.exe
		540	schtasks.exe
		1656	schtasks.exe
		3448	schtasks.exe
		800	schtasks.exe
		1756	schtasks.exe
		2024	schtasks.exe
		3760	schtasks.exe
		688	schtasks.exe
		1960	schtasks.exe
		2668	schtasks.exe
		1880	schtasks.exe
		2512	schtasks.exe
		2368	schtasks.exe
		1556	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\", \"C:\\Windows\\appcompat\\Registry.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\", \"C:\\Windows\\appcompat\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\", \"C:\\Windows\\appcompat\\Registry.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\sppsvc.exe\", \"C:\\Windows\\bcastdvr\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\", \"C:\\Windows\\Panther\\actionqueue\\smss.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\", \"C:\\Windows\\appcompat\\Registry.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Users\\Admin\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\", \"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\", \"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\", \"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3540	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3540	schtasks.exe	83

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3832-1-0x00000000002D0000-0x00000000004FE000-memory.dmp	dcrat
behavioral2/files/0x000b000000023ba0-41.dat	dcrat
behavioral2/files/0x0008000000023c67-96.dat	dcrat
behavioral2/files/0x000c000000023ba0-134.dat	dcrat
behavioral2/files/0x0010000000023bc4-181.dat	dcrat
behavioral2/files/0x000c000000023c68-245.dat	dcrat
behavioral2/memory/3028-359-0x00000000005B0000-0x00000000007DE000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	67f998093c11d8a104aef7a92a2d5b26.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	67f998093c11d8a104aef7a92a2d5b26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	csrss.exe
3368	csrss.exe
1920	csrss.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\sihost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Panther\\actionqueue\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\bcastdvr\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\bcastdvr\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Panther\\actionqueue\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\sppsvc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\appcompat\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\smss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Globalization\\Time Zone\\TextInputHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Desktop\\fontdrvhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office\\RuntimeBroker.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dllhost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\spoolsv.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\appcompat\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\csrss.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\upfc.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\Registry.exe\""	67f998093c11d8a104aef7a92a2d5b26.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	67f998093c11d8a104aef7a92a2d5b26.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\ModifiableWindowsApps\winlogon.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXB7FC.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\upfc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sihost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Microsoft Office\9e8d7a4ca61bd9	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\886983d96e3d3e	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office\RuntimeBroker.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\RCXBA20.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXD8A1.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Java\jdk-1.8\lib\66fc9ff0ee96c2	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\ea1d8f6d871115	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\smss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\69ddcba757bf72	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCXB5D7.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\sihost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXC15A.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXCEF4.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\0a1fd5f707cd16	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\0a1fd5f707cd16	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCXB5D8.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\RCXBA21.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\upfc.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXC15B.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXB7FD.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXD38C.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXDAB5.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Microsoft Office\RuntimeBroker.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\RCXC670.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXD8A0.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXDAB6.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\f3b6ecef712a24	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\RCXC5F2.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXCEF3.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXD38B.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\smss.exe	67f998093c11d8a104aef7a92a2d5b26.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\Time Zone\TextInputHost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\Panther\actionqueue\smss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\appcompat\RCXD61E.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\bcastdvr\RCXDD39.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\assembly\csrss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\appcompat\Registry.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\assembly\886983d96e3d3e	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\Globalization\Time Zone\22eafd247d37c3	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\assembly\RCXB3C1.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\assembly\RCXB3C2.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\Registry.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\Globalization\Time Zone\TextInputHost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\Globalization\Time Zone\RCXBCB4.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXC3DE.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\bcastdvr\fontdrvhost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXCAC9.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\LiveKernelReports\backgroundTaskHost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\assembly\csrss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\ee2ad38f3d4382	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\bcastdvr\fontdrvhost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\Globalization\Time Zone\RCXBC36.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXC3DD.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXCAB9.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\bcastdvr\RCXDD38.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\fr-FR\29c1c3cc0f7685	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\Panther\actionqueue\smss.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\Panther\actionqueue\69ddcba757bf72	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\appcompat\ee2ad38f3d4382	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\fr-FR\RCXC895.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXD176.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\appcompat\RCXD5A0.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\Registry.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\LiveKernelReports\backgroundTaskHost.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\appcompat\Registry.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\fr-FR\RCXC875.tmp	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\fr-FR\unsecapp.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\fr-FR\unsecapp.exe	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\LiveKernelReports\eddb19405b7ce1	67f998093c11d8a104aef7a92a2d5b26.exe
File created	C:\Windows\bcastdvr\5b884080fd4f94	67f998093c11d8a104aef7a92a2d5b26.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXD177.tmp	67f998093c11d8a104aef7a92a2d5b26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	67f998093c11d8a104aef7a92a2d5b26.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
688	schtasks.exe
540	schtasks.exe
740	schtasks.exe
3972	schtasks.exe
4688	schtasks.exe
4544	schtasks.exe
2900	schtasks.exe
1980	schtasks.exe
1124	schtasks.exe
1620	schtasks.exe
2084	schtasks.exe
3964	schtasks.exe
4540	schtasks.exe
1968	schtasks.exe
2512	schtasks.exe
4864	schtasks.exe
2028	schtasks.exe
1880	schtasks.exe
4268	schtasks.exe
1328	schtasks.exe
4548	schtasks.exe
1656	schtasks.exe
4880	schtasks.exe
4784	schtasks.exe
4008	schtasks.exe
3240	schtasks.exe
2100	schtasks.exe
1628	schtasks.exe
800	schtasks.exe
4808	schtasks.exe
3188	schtasks.exe
3516	schtasks.exe
4732	schtasks.exe
2936	schtasks.exe
1960	schtasks.exe
1556	schtasks.exe
1600	schtasks.exe
1492	schtasks.exe
3760	schtasks.exe
2668	schtasks.exe
1756	schtasks.exe
3112	schtasks.exe
2024	schtasks.exe
3448	schtasks.exe
4196	schtasks.exe
4712	schtasks.exe
4380	schtasks.exe
4132	schtasks.exe
60	schtasks.exe
4936	schtasks.exe
2740	schtasks.exe
1680	schtasks.exe
1132	schtasks.exe
2368	schtasks.exe
4324	schtasks.exe
4452	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe
3832	67f998093c11d8a104aef7a92a2d5b26.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	67f998093c11d8a104aef7a92a2d5b26.exe
Token: SeDebugPrivilege	3028	csrss.exe
Token: SeDebugPrivilege	3368	csrss.exe
Token: SeDebugPrivilege	1920	csrss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 3028	3832	67f998093c11d8a104aef7a92a2d5b26.exe	149
PID 3832 wrote to memory of 3028	3832	67f998093c11d8a104aef7a92a2d5b26.exe	149
PID 3028 wrote to memory of 4700	3028	csrss.exe	155
PID 3028 wrote to memory of 4700	3028	csrss.exe	155
PID 3028 wrote to memory of 4436	3028	csrss.exe	156
PID 3028 wrote to memory of 4436	3028	csrss.exe	156
PID 4700 wrote to memory of 3368	4700	WScript.exe	161
PID 4700 wrote to memory of 3368	4700	WScript.exe	161
PID 3368 wrote to memory of 4592	3368	csrss.exe	163
PID 3368 wrote to memory of 4592	3368	csrss.exe	163
PID 3368 wrote to memory of 864	3368	csrss.exe	165
PID 3368 wrote to memory of 864	3368	csrss.exe	165
PID 4592 wrote to memory of 1920	4592	WScript.exe	167
PID 4592 wrote to memory of 1920	4592	WScript.exe	167
PID 1920 wrote to memory of 4376	1920	csrss.exe	169
PID 1920 wrote to memory of 4376	1920	csrss.exe	169
PID 1920 wrote to memory of 4512	1920	csrss.exe	170
PID 1920 wrote to memory of 4512	1920	csrss.exe	170

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67f998093c11d8a104aef7a92a2d5b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67f998093c11d8a104aef7a92a2d5b26.exe
"C:\Users\Admin\AppData\Local\Temp\67f998093c11d8a104aef7a92a2d5b26.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3832
- C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe
  "C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bca8b7c-884e-454e-b214-43217d05b2c2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe
      "C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c8c5ec-5ee6-4889-ad40-10108beec65d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3d84b7-55b0-41ad-b00a-c249089f1e49.vbs"
        7⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd28b70-4d48-40a6-b130-267c3c0c582e.vbs"
        7⤵
        
        PID:4512
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aad8711-2b9c-48bb-b61e-78a1cd529fc8.vbs"
        5⤵
        
        PID:864
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb350abb-1f98-4d8b-8d6e-1e10b2d4b8d0.vbs"
    3⤵
    PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\lib\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\lib\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\Ole DB\en-US\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\Ole DB\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Time Zone\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Time Zone\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\appcompat\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\lib\RCXB5D8.tmp

Filesize
2.2MB

MD5
70f35d04041d9c029d59586fc6aa3819

SHA1
a9f37462584d22bad8909ffc1c047cdfee84f049

SHA256
517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6

SHA512
1739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\RCXD38B.tmp

Filesize
2.2MB

MD5
9a79c16b497985668dd3ee6eaa26f4f8

SHA1
739c7fee6813ec85298e5d106364f7a215cc8738

SHA256
9bbabb1628620095ff00cd7fa22092a3611cc42c6daa6dcf40be50f8504fbdbb

SHA512
4857778449876a6ad8812e67d579b76dd43d7b4c101d82f1404bc4344047d8b7dab5dedf9511330e854484f1a0c44241fb98036a91771164010a66e8b1f23d42

Download Submit
C:\Program Files\WindowsPowerShell\Modules\PSReadline\csrss.exe

Filesize
2.2MB

MD5
403acfbf586328af4f046401e6cdf816

SHA1
1ad85e8c4d5bb0f903a112b18bf77e80f0b65b57

SHA256
f345ddcea6d79f9ce20cc3b7c9772cd1bc7537d5869c6ead3f9d7260507d5389

SHA512
29f4e96c7c02f3ceb9f0b87f75e3ce757c5f99db0f8f97d10a104261530f36aef2f83e988e3b7316b32adbba435f676a9b2bfde7fcc6e9c1c10174a1886561db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bca8b7c-884e-454e-b214-43217d05b2c2.vbs

Filesize
739B

MD5
b491f867fb3ee890abc2db9d05dd7bb2

SHA1
0dbc7876e7e43d8cc7dc50d9500aeb609585b161

SHA256
8670892d87c7a59d847d3774da8b13ef5ee74f958bfb4c1663be9ee76b88a40e

SHA512
607511d968eb1d7846ea5c2593a720ced815899777a07b47b6ba656918d7c924b6dc850740710cfdf885cfd002e5f29d344250ea78d33ac11aa388d52314664a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c8c5ec-5ee6-4889-ad40-10108beec65d.vbs

Filesize
739B

MD5
9a6676f8039140d94d8bce5781971d3e

SHA1
8d745a3b0664aadd7f7a490f0195dab8e70b7567

SHA256
82bec94addbfbe0fb4b5bfa8ca664be9231212456872050b55431192dc877c32

SHA512
84cd1687ee7f34336e88aa467e2735abccc1e88045531e8ff78ee34b9bfea3a6d075f64cb85643ae82b054275980f6a643556c75669b051d1dace7ca1f898975

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb3d84b7-55b0-41ad-b00a-c249089f1e49.vbs

Filesize
739B

MD5
beb5bef5f690ca352d682eb313a40c82

SHA1
38920418e0112c0c10fad96fc3e6209e8e958d56

SHA256
47795c9ed1f409bde7bb2d06700960ed05c632ecb925ee98f33f6979ff6b7697

SHA512
3139261bc07136577c835ff6ff5a194d952fa27fa1472ace89302ec5422c828f450872b57cd5013d75719c9fd18146b17007fcd7c4b11ff188001aa33c66e41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb350abb-1f98-4d8b-8d6e-1e10b2d4b8d0.vbs

Filesize
515B

MD5
63257a24d0b5fbb756e44f74a8f04736

SHA1
715736c7e5a4cbea7bc96dca0143d0f5d35ed432

SHA256
b05f988ea2a77ab42a0ecf74204f82de524a24a095271d7539ea6cb85d9d90ee

SHA512
cebdd1d0195334a7d2d06bf744147a14a41e88541b31fa85f59383e0f14e606b3e7348c810c28d3b4187667142680a031ca4f1126b762d3ac83ab9e0bc7e4cf7

Download Submit
C:\Windows\Globalization\Time Zone\TextInputHost.exe

Filesize
2.2MB

MD5
67f998093c11d8a104aef7a92a2d5b26

SHA1
cea4392bfb620e2d5b303c7f39fe68a30080a771

SHA256
f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

SHA512
e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

Download Submit
C:\Windows\Globalization\Time Zone\TextInputHost.exe

Filesize
2.2MB

MD5
9fb8e0328122edc099299425ead284d5

SHA1
0d6f438170734cd07e872b531a950f54b3ac16b0

SHA256
1bd36be07a7271aa99c8f15e95c5b9c4196a57904af792ee971dab5fcc2e4e8b

SHA512
0589aa436af804bebcbb038bbdf9f8b98040042c8e329891d3300f6685e14b52187a9c366c5adec5f00707b97112f81af753ea8382f614ee34aacf19dd71b684

Download Submit
memory/3028-359-0x00000000005B0000-0x00000000007DE000-memory.dmp

Filesize
2.2MB

Download
memory/3832-12-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/3832-27-0x000000001BB30000-0x000000001BB3E000-memory.dmp

Filesize
56KB

Download
memory/3832-13-0x000000001B810000-0x000000001B81A000-memory.dmp

Filesize
40KB

Download
memory/3832-14-0x000000001B820000-0x000000001B82C000-memory.dmp

Filesize
48KB

Download
memory/3832-15-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/3832-16-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/3832-17-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download
memory/3832-19-0x000000001B860000-0x000000001B872000-memory.dmp

Filesize
72KB

Download
memory/3832-20-0x000000001BDC0000-0x000000001C2E8000-memory.dmp

Filesize
5.2MB

Download
memory/3832-21-0x000000001B890000-0x000000001B89C000-memory.dmp

Filesize
48KB

Download
memory/3832-22-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/3832-23-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

Filesize
48KB

Download
memory/3832-24-0x000000001B9C0000-0x000000001B9CA000-memory.dmp

Filesize
40KB

Download
memory/3832-28-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/3832-31-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/3832-30-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-29-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/3832-6-0x000000001B7A0000-0x000000001B7F0000-memory.dmp

Filesize
320KB

Download
memory/3832-26-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

Filesize
32KB

Download
memory/3832-25-0x000000001B9D0000-0x000000001B9DE000-memory.dmp

Filesize
56KB

Download
memory/3832-34-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-0-0x00007FFA3CB73000-0x00007FFA3CB75000-memory.dmp

Filesize
8KB

Download
memory/3832-11-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

Filesize
32KB

Download
memory/3832-7-0x000000001B040000-0x000000001B048000-memory.dmp

Filesize
32KB

Download
memory/3832-169-0x00007FFA3CB73000-0x00007FFA3CB75000-memory.dmp

Filesize
8KB

Download
memory/3832-10-0x000000001B080000-0x000000001B08C000-memory.dmp

Filesize
48KB

Download
memory/3832-193-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-241-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-9-0x000000001B060000-0x000000001B076000-memory.dmp

Filesize
88KB

Download
memory/3832-360-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-8-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/3832-5-0x000000001B020000-0x000000001B03C000-memory.dmp

Filesize
112KB

Download
memory/3832-4-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

Filesize
56KB

Download
memory/3832-3-0x000000001AFB0000-0x000000001AFBE000-memory.dmp

Filesize
56KB

Download
memory/3832-2-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/3832-1-0x00000000002D0000-0x00000000004FE000-memory.dmp

Filesize
2.2MB

Download