dcrat | d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Size

1.1MB
MD5

66c9a250fe9e60c4df2c9a157ae39211
SHA1

cabc35fd42f4534f5e05b5b9bd65dcfc85e469a7
SHA256

d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd
SHA512

1439934414be0b92acf1b51e6b3ba0a1ad296b879361f42fc557b740bde42204515bbbccfe5e9c74b702caf786c201ececee76bc5841618560f56de047c9cdc8
SSDEEP

12288:amc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:ah4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\", \"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\", \"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\Utilman\\taskhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\", \"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\Utilman\\taskhost.exe\", \"C:\\Windows\\System32\\DFDWiz\\csrss.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\", \"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\Utilman\\taskhost.exe\", \"C:\\Windows\\System32\\DFDWiz\\csrss.exe\", \"C:\\Windows\\System32\\XpsPrint\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsShell\\explorer.exe\", \"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2948	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
2916	powershell.exe
2676	powershell.exe
1512	powershell.exe
2864	powershell.exe
988	powershell.exe
780	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Executes dropped EXE 13 IoCs

pid	Process
3040	csrss.exe
2484	csrss.exe
2000	csrss.exe
2592	csrss.exe
1860	csrss.exe
2032	csrss.exe
2360	csrss.exe
2888	csrss.exe
2516	csrss.exe
2552	csrss.exe
2640	csrss.exe
2852	csrss.exe
472	csrss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\Utilman\\taskhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\DFDWiz\\csrss.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\DFDWiz\\csrss.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\Utilman\\taskhost.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\XpsPrint\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\XpsPrint\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsShell\\explorer.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsShell\\explorer.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\SensorsCpl\\lsm.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\polprou\\WmiPrvSE.exe\""	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorsCpl\lsm.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\Utilman\RCXB60A.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\Utilman\taskhost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\XpsPrint\lsm.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\SensorsCpl\lsm.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\wbem\polprou\WmiPrvSE.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\wbem\polprou\24dbde2999530e	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\DFDWiz\csrss.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\XpsPrint\lsm.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\DFDWiz\RCXB80E.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\DFDWiz\csrss.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\XpsPrint\RCXBA12.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\Utilman\taskhost.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\DFDWiz\886983d96e3d3e	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\XpsPrint\101b941d020240	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\wbem\polprou\RCXB406.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\wbem\polprou\WmiPrvSE.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\SensorsCpl\101b941d020240	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\System32\Utilman\b75386f1303e64	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\System32\SensorsCpl\RCXB203.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\WindowsShell\explorer.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\WindowsShell\explorer.exe	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File created	C:\Windows\WindowsShell\7a0fd90576e088	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
File opened for modification	C:\Windows\WindowsShell\RCXAFFF.tmp	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe
2724	schtasks.exe
2832	schtasks.exe
2712	schtasks.exe
2996	schtasks.exe
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
2864	powershell.exe
2916	powershell.exe
2676	powershell.exe
780	powershell.exe
1512	powershell.exe
988	powershell.exe
580	powershell.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe
3040	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3040	csrss.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2484	csrss.exe
Token: SeDebugPrivilege	2000	csrss.exe
Token: SeDebugPrivilege	2592	csrss.exe
Token: SeDebugPrivilege	1860	csrss.exe
Token: SeDebugPrivilege	2032	csrss.exe
Token: SeDebugPrivilege	2360	csrss.exe
Token: SeDebugPrivilege	2888	csrss.exe
Token: SeDebugPrivilege	2516	csrss.exe
Token: SeDebugPrivilege	2552	csrss.exe
Token: SeDebugPrivilege	2640	csrss.exe
Token: SeDebugPrivilege	2852	csrss.exe
Token: SeDebugPrivilege	472	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 580	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	37
PID 1196 wrote to memory of 580	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	37
PID 1196 wrote to memory of 580	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	37
PID 1196 wrote to memory of 780	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	38
PID 1196 wrote to memory of 780	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	38
PID 1196 wrote to memory of 780	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	38
PID 1196 wrote to memory of 988	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	39
PID 1196 wrote to memory of 988	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	39
PID 1196 wrote to memory of 988	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	39
PID 1196 wrote to memory of 2864	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	40
PID 1196 wrote to memory of 2864	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	40
PID 1196 wrote to memory of 2864	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	40
PID 1196 wrote to memory of 1512	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	42
PID 1196 wrote to memory of 1512	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	42
PID 1196 wrote to memory of 1512	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	42
PID 1196 wrote to memory of 2676	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	44
PID 1196 wrote to memory of 2676	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	44
PID 1196 wrote to memory of 2676	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	44
PID 1196 wrote to memory of 2916	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	46
PID 1196 wrote to memory of 2916	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	46
PID 1196 wrote to memory of 2916	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	46
PID 1196 wrote to memory of 3040	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	51
PID 1196 wrote to memory of 3040	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	51
PID 1196 wrote to memory of 3040	1196	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe	51
PID 3040 wrote to memory of 1156	3040	csrss.exe	52
PID 3040 wrote to memory of 1156	3040	csrss.exe	52
PID 3040 wrote to memory of 1156	3040	csrss.exe	52
PID 3040 wrote to memory of 272	3040	csrss.exe	53
PID 3040 wrote to memory of 272	3040	csrss.exe	53
PID 3040 wrote to memory of 272	3040	csrss.exe	53
PID 1156 wrote to memory of 2484	1156	WScript.exe	55
PID 1156 wrote to memory of 2484	1156	WScript.exe	55
PID 1156 wrote to memory of 2484	1156	WScript.exe	55
PID 2484 wrote to memory of 2220	2484	csrss.exe	56
PID 2484 wrote to memory of 2220	2484	csrss.exe	56
PID 2484 wrote to memory of 2220	2484	csrss.exe	56
PID 2484 wrote to memory of 2860	2484	csrss.exe	57
PID 2484 wrote to memory of 2860	2484	csrss.exe	57
PID 2484 wrote to memory of 2860	2484	csrss.exe	57
PID 2220 wrote to memory of 2000	2220	WScript.exe	58
PID 2220 wrote to memory of 2000	2220	WScript.exe	58
PID 2220 wrote to memory of 2000	2220	WScript.exe	58
PID 2000 wrote to memory of 1728	2000	csrss.exe	59
PID 2000 wrote to memory of 1728	2000	csrss.exe	59
PID 2000 wrote to memory of 1728	2000	csrss.exe	59
PID 2000 wrote to memory of 292	2000	csrss.exe	60
PID 2000 wrote to memory of 292	2000	csrss.exe	60
PID 2000 wrote to memory of 292	2000	csrss.exe	60
PID 1728 wrote to memory of 2592	1728	WScript.exe	61
PID 1728 wrote to memory of 2592	1728	WScript.exe	61
PID 1728 wrote to memory of 2592	1728	WScript.exe	61
PID 2592 wrote to memory of 2336	2592	csrss.exe	62
PID 2592 wrote to memory of 2336	2592	csrss.exe	62
PID 2592 wrote to memory of 2336	2592	csrss.exe	62
PID 2592 wrote to memory of 264	2592	csrss.exe	63
PID 2592 wrote to memory of 264	2592	csrss.exe	63
PID 2592 wrote to memory of 264	2592	csrss.exe	63
PID 2336 wrote to memory of 1860	2336	WScript.exe	64
PID 2336 wrote to memory of 1860	2336	WScript.exe	64
PID 2336 wrote to memory of 1860	2336	WScript.exe	64
PID 1860 wrote to memory of 1752	1860	csrss.exe	65
PID 1860 wrote to memory of 1752	1860	csrss.exe	65
PID 1860 wrote to memory of 1752	1860	csrss.exe	65
PID 1860 wrote to memory of 1316	1860	csrss.exe	66

System policy modification 1 TTPs 42 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe
"C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\WindowsShell\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SensorsCpl\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\polprou\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Utilman\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DFDWiz\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\XpsPrint\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\DFDWiz\csrss.exe
  "C:\Windows\System32\DFDWiz\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53fe5bfd-1f3d-4476-84c3-42996c0b91e7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\System32\DFDWiz\csrss.exe
      C:\Windows\System32\DFDWiz\csrss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2484
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70a9e32d-cec6-494a-9b85-f3bd2718a060.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2dff8f-34f0-4bc9-a67d-9d059878a6f8.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dfb9a1e-cc10-4044-af65-6a7c3f3e9385.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\056775ea-4721-49da-8f75-1a033b9589f8.vbs"
        11⤵
        
        PID:1752
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1f9501-0165-463a-ad4e-eecdbc45a60b.vbs"
        13⤵
        
        PID:2352
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e28a6dfe-584d-405a-9da9-c4d49653f06c.vbs"
        15⤵
        
        PID:2704
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ecd73fa-4c0e-43b2-86d7-3832ba29089b.vbs"
        17⤵
        
        PID:1968
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9add739-9bf9-4ab3-aca9-7556a0753449.vbs"
        19⤵
        
        PID:908
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb1955f9-f825-4307-b8f9-bc1467b0689e.vbs"
        21⤵
        
        PID:612
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30607555-e8cd-4c9f-a723-2f3e0429b832.vbs"
        23⤵
        
        PID:2492
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92707d46-3146-44b1-8c6b-0037e646f055.vbs"
        25⤵
        
        PID:592
        
        C:\Windows\System32\DFDWiz\csrss.exe
        
        C:\Windows\System32\DFDWiz\csrss.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86de091-8cdc-4bee-a5e7-61b0ed3b091d.vbs"
        27⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4352cbca-37d8-4c39-b604-4b94df0acf94.vbs"
        27⤵
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd14f2ad-2ce2-410d-b6e5-a24aaf81ecec.vbs"
        25⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c4d9bb0-f50f-4598-8545-13063b6d348c.vbs"
        23⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d0c5e1-f492-4dd5-b4c9-5227163d7add.vbs"
        21⤵
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57e83b5a-04ec-465a-8b45-e258f97e6faf.vbs"
        19⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90233cbf-b9bf-4bbf-92e2-14c761fbd54f.vbs"
        17⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a59dce-b714-41f1-8a3e-e2ca576118b8.vbs"
        15⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea22ae76-2a89-4572-9f79-fd4bfc9272a3.vbs"
        13⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a70c60c1-83c0-4ed3-84b1-ef7159c33422.vbs"
        11⤵
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1017fbe8-bdd4-4992-9869-1d3ae5cbdb11.vbs"
        9⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64821a8c-85f0-4384-aa35-2f6e49bc0b7b.vbs"
        7⤵
        
        PID:292
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e8ef978-3f7f-4114-9374-c6bd76fbb1f7.vbs"
        5⤵
        
        PID:2860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\645ec2df-54a6-4539-9d1b-b5432998d8aa.vbs"
    3⤵
    PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\SensorsCpl\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\polprou\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\Utilman\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\DFDWiz\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\XpsPrint\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\056775ea-4721-49da-8f75-1a033b9589f8.vbs

Filesize
712B

MD5
e2b2d04b9ccb2bcd1304506ce971b63d

SHA1
e8b172b029e73ac090d23319304e0ab8c317b624

SHA256
c9e719c039c0103eef6444c3fe080ee9c615b0f44c9409ee4da7e41b539b2be6

SHA512
86f5d92eb06c810b20e70282efd158cf4f7792e0cfe0f45ce90ae977ab8841c8056548b363851348d8a5036a20af6350883557f5cf6751ec3c66a2df8c554e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dfb9a1e-cc10-4044-af65-6a7c3f3e9385.vbs

Filesize
712B

MD5
eed037aaa59168588189e4b9635a2d6b

SHA1
ba8943572e4f7b3d2ca7be3967f8b7fe9372dc53

SHA256
212b70e3a10d86da82af3713389649543eee917be65f8a85e880b82687336552

SHA512
7ac536775f42742029e12674ba7bcdd5b2191ba398f8bb76f9469ca6f892bca8e5e0f0e6f6aae70e4beb31a78eb41126d4930fb3ce9f59d0a17140ff8bfafec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c2dff8f-34f0-4bc9-a67d-9d059878a6f8.vbs

Filesize
712B

MD5
15041bda6aa484035bf23b4fc34a03b7

SHA1
8e1e92a707466a8d6c5f584072be0d76e7485f4f

SHA256
77ef4968168e289888a724d1348a8c5d189448e3d5649097f9a61a6d4d9568ce

SHA512
e638128ad15482fc9cb45bfd68504ec5aed451ffeba48cf6a10bd5634439a6f85a33f5a0fe11ad3bffc16e0811044368df36f356801e5ffbf33642ff8fc87d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\30607555-e8cd-4c9f-a723-2f3e0429b832.vbs

Filesize
712B

MD5
82f3c01bd1cb98d7ba065ccec77d99a6

SHA1
0e30ef2b8ef227bd3f0df4a047ad2134805b7ab1

SHA256
901ac3ea04a5f1627e95d35d38f120c8fadb6949e7c3415015ca0ba08eb9d081

SHA512
b767e0c13e9aea477ad135612b35c6dea5de7e8fc1b9d1e0c08d14673167053cdbea585dfe63d4195ffcc280fffb463c35ed078baf92b7501b8fe7e756ce2419

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ecd73fa-4c0e-43b2-86d7-3832ba29089b.vbs

Filesize
712B

MD5
d64d8932ae94f53a13c3c6336cb1cb4a

SHA1
551fc18b7e3dd7482e142763f59ca7968326492c

SHA256
0cfe29fb39bd57c7df485dbcde00f8d2cd70ff25515c23ebe5d0a80fc7c696c2

SHA512
32b157a89867289fe35d9dd81915fe0288b6745ef4aa65bfdb3b5fd5fea2f6a16f7efc22d0f57f2feefef946452365de3774f240b0002e5eba977c2f4728f670

Download Submit
C:\Users\Admin\AppData\Local\Temp\53fe5bfd-1f3d-4476-84c3-42996c0b91e7.vbs

Filesize
712B

MD5
f7229cc548f30ad2a39e44e675023ee4

SHA1
61c776fbfbf077df1a877883db4d9cf10a18b3c6

SHA256
6f5abd1d766d114192612815a03fe5943d9fc66112c05ac910415cc31bb184c5

SHA512
dcb06357a3fe6e065d76ce9eca4a93adcbd5cfbd3285038b1b184745ec5dd6074ab7e6149a3c3534edb5408692a2ddc045efc1062a45a30e7b601382beaa7c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\645ec2df-54a6-4539-9d1b-b5432998d8aa.vbs

Filesize
488B

MD5
203ba8593016628ffebabb1d149e07a5

SHA1
435a46a9cf8959ced49d199976787437c19b0e1d

SHA256
959f878ca63c9a599a8fe75565b03e2621b1921ea6f0e2f385223a8e625e8c15

SHA512
6ddaf2a3a045a349140f76f27da557828336dc1956895eb6b110641b34055720d2c31e807a77ec328cd191dd92b55486b5d30fd6ee7cb145d592f3b55016ac28

Download Submit
C:\Users\Admin\AppData\Local\Temp\70a9e32d-cec6-494a-9b85-f3bd2718a060.vbs

Filesize
712B

MD5
fad4378b0a56d06cfb990dbbccff3afd

SHA1
c06de34a54841e96a6da60a91e945fbf806f7c39

SHA256
e3f8cb8cf82366854885fda58423aa21b7f60feba1b6a5214b4d75848b1f5966

SHA512
c44a1ba11aa8df59f8f24c7159c9ac292b704fc0ed7ba2fb5b343e7c0afb604194fc119b21c63c4657a904da16c16f2a24ebe7a8704630c076ee33c642df9cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c1f9501-0165-463a-ad4e-eecdbc45a60b.vbs

Filesize
712B

MD5
e14c456a26355d71952bab999d0878ea

SHA1
76cba42129e8a2c0f5cea5dee7230f27db938d54

SHA256
8fdc2ee9b3d17fcdfd5be76a50d331c8432cafa11fb1b8f3f3130fbed6f24d7c

SHA512
c91e15fae74a965af04c816b240ec9b137d0f693adc22948db9582ac7ead0207176f436bf66656f09224bb32e827f3102e6996dac1243c85e59b869da20f66d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\92707d46-3146-44b1-8c6b-0037e646f055.vbs

Filesize
712B

MD5
4235d0bab4859293a18925e76f584413

SHA1
2588905d76612ccdcef91c8c0fe3e84bdb3cf649

SHA256
0a7d53132984b66991fe2471665c0cf7a0b0e32e3aed9e4ea49878464c8d936f

SHA512
eda00b7a9b51bc74e495ce3bd3676d7196454a7eeda20ecb68d721daf2fd0609ae53bd6818a25df9a4b295aa74ea577d7ba8d72cc35536623c0eeb66122e6867

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb1955f9-f825-4307-b8f9-bc1467b0689e.vbs

Filesize
712B

MD5
ce76d1ca569a27db617d39cef5d719d8

SHA1
facb7babed045cb8dc3295d34cd9f3423e523e18

SHA256
67ab206edce9ae0d816a954542f3fa90512468df6e5d2c1eca10113769ef2b24

SHA512
ab6bcc55c106ed43bcce72d39a8161f5842b3fc930997aff64667edcfe999ec1ced75a63dbaca40a20d46333510f9439e3f031f9b411805b2168bc405f2b71ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\d86de091-8cdc-4bee-a5e7-61b0ed3b091d.vbs

Filesize
711B

MD5
ae41ab40a380f4be1aafd0ff8bfb4804

SHA1
7949e85d96dd90c6398d875e4ecf72ab4c37a48c

SHA256
f5633eb171b9f546f0fb408be73a7b9c42020ba28f43ee06c4dd8eb839aacc98

SHA512
370137ec9158eea60f08ab87d7641c267e45bc60cfb4c9e30f842ff4f522d17c099f7edb74b16daa0064d90bb12fafdc8b4e20db805d3140509424e90e735ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e28a6dfe-584d-405a-9da9-c4d49653f06c.vbs

Filesize
712B

MD5
f4d14b0099ba72d9738729f417ca8ff6

SHA1
f0d60307dca03acc49a614946855ef8b5acd4b56

SHA256
304252c6a7ef393252bfa8e7a63f123feb22c9a5ffa6eda1f317a3920ee6fa64

SHA512
31d55653e3f81fa09b6a107a7d7a22655fcebce7b9b3e16d048f89ea24b285fc79f51a5a9f309336796ede9ce9a93c4271d47b29b5ee6ab5ce15c7e7f246c03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9add739-9bf9-4ab3-aca9-7556a0753449.vbs

Filesize
712B

MD5
a0e227cdaa03559fdfc571e62c74ac4e

SHA1
5ce44c9f71f8be44a4340df094a5ba1530cac9d3

SHA256
7fa8ec88b0cee1a7e2c3dec8264e242516842426837c1235ff198f0ed477e921

SHA512
bd7820b4ecd8c25f9f174c76c63f89bc58a5a8d4b90475e55201d27e40f6c2660dad0096f62c6ac4d4a6a2f7f4f660141ec3f05b56ad3212df33d4b869a9874f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fd8db02b84741126aac6d0e5e53e6b10

SHA1
1555017e90d10e67cd0ee6243cb2acc5f61087f3

SHA256
5c171564376f2337eed10024bead705aa0de7ea6a4e844e4face43ec27da5e88

SHA512
eb7593029ec4a8d7bf6fca3e23ef5ab4c74d43ee0a052626e52cdb2b8ac5e7e1defb177beecdc119c465cc0f69a5089daaa4b7980add1ca23dc67354f5555b9e

Download Submit
C:\Windows\System32\DFDWiz\csrss.exe

Filesize
1.1MB

MD5
66c9a250fe9e60c4df2c9a157ae39211

SHA1
cabc35fd42f4534f5e05b5b9bd65dcfc85e469a7

SHA256
d264be7b02773b7c80509deaa970e2a2a8f681321e71b36a8a6377486bff23bd

SHA512
1439934414be0b92acf1b51e6b3ba0a1ad296b879361f42fc557b740bde42204515bbbccfe5e9c74b702caf786c201ececee76bc5841618560f56de047c9cdc8

Download Submit
memory/472-266-0x0000000000070000-0x0000000000184000-memory.dmp

Filesize
1.1MB

Download
memory/1196-6-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/1196-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1196-21-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1196-13-0x0000000002090000-0x000000000209A000-memory.dmp

Filesize
40KB

Download
memory/1196-12-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1196-18-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1196-14-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/1196-123-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1196-17-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/1196-15-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/1196-20-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/1196-16-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1196-7-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1196-11-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/1196-8-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1196-1-0x00000000001D0000-0x00000000002E4000-memory.dmp

Filesize
1.1MB

Download
memory/1196-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1196-5-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1196-2-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1196-3-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1196-10-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/1196-4-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1860-170-0x0000000000BA0000-0x0000000000CB4000-memory.dmp

Filesize
1.1MB

Download
memory/2000-147-0x0000000000810000-0x0000000000924000-memory.dmp

Filesize
1.1MB

Download
memory/2032-182-0x0000000000220000-0x0000000000334000-memory.dmp

Filesize
1.1MB

Download
memory/2360-195-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2360-194-0x0000000001150000-0x0000000001264000-memory.dmp

Filesize
1.1MB

Download
memory/2484-135-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2484-134-0x00000000001F0000-0x0000000000304000-memory.dmp

Filesize
1.1MB

Download
memory/2516-219-0x0000000000980000-0x0000000000A94000-memory.dmp

Filesize
1.1MB

Download
memory/2552-231-0x0000000001200000-0x0000000001314000-memory.dmp

Filesize
1.1MB

Download
memory/2852-254-0x00000000012E0000-0x00000000013F4000-memory.dmp

Filesize
1.1MB

Download
memory/2888-207-0x0000000000020000-0x0000000000134000-memory.dmp

Filesize
1.1MB

Download
memory/2916-96-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2916-117-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/3040-97-0x0000000000840000-0x0000000000954000-memory.dmp

Filesize
1.1MB

Download