dcrat | 563d00ae7f20691f00834ec48e58f85519af8425e46045a03d587f3c6e42f3f6

Analysis

max time kernel
57s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e3f692a00a384f021b60e1ac5e23c5c.exe
Size

2.6MB
MD5

1e3f692a00a384f021b60e1ac5e23c5c
SHA1

b80fdeaaea1379f593314ad60d1ab9da6cf2daa1
SHA256

563d00ae7f20691f00834ec48e58f85519af8425e46045a03d587f3c6e42f3f6
SHA512

6d82fc2a4a11e5fde4c40a01101bb7f27ff1f901360359b8772f762d0ebe085d1382c43f220d0ddd6b1f76666087af33fa47de400ae1032afa4ace6c7cd2fc6c
SSDEEP

49152:PpTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:PZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1532	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1048-54-0x00000000011E0000-0x0000000001484000-memory.dmp	dcrat
C:\Users\All Users\Microsoft\csrss.exe	dcrat
C:\ProgramData\Microsoft\csrss.exe	dcrat
behavioral1/memory/2528-135-0x00000000013E0000-0x0000000001684000-memory.dmp	dcrat
behavioral1/memory/1416-153-0x0000000001DE0000-0x0000000001E60000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 20 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXA9E3.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\69ddcba757bf72	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows NT\dwm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXCD31.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows NT\6cb0b6c459d5d3	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\RCX6BA0.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\RCX6F0A.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXA678.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX1C7A.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files\Windows NT\dwm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXC9C6.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\6cb0b6c459d5d3	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX190F.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe

Drops file in Windows directory 15 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
File created	C:\Windows\fr-FR\lsm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\PCHEALTH\75a57c1bdf437c	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\fr-FR\RCXC16C.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\fr-FR\lsm.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\PCHEALTH\WMIADAP.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\Offline Web Pages\WMIADAP.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\PCHEALTH\WMIADAP.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\PCHEALTH\RCXD58B.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\fr-FR\101b941d020240	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\fr-FR\RCXBE02.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX3FF7.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX3C8D.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\Offline Web Pages\WMIADAP.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File opened for modification	C:\Windows\PCHEALTH\RCXD8F6.tmp	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\Offline Web Pages\75a57c1bdf437c	1e3f692a00a384f021b60e1ac5e23c5c.exe

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1536	schtasks.exe
1120	schtasks.exe
864	schtasks.exe
860	schtasks.exe
2040	schtasks.exe
900	schtasks.exe
268	schtasks.exe
2036	schtasks.exe
1172	schtasks.exe
684	schtasks.exe
1728	schtasks.exe
1208	schtasks.exe
1756	schtasks.exe
1172	schtasks.exe
1076	schtasks.exe
1884	schtasks.exe
1184	schtasks.exe
1280	schtasks.exe
1176	schtasks.exe
1488	schtasks.exe
304	schtasks.exe
924	schtasks.exe
588	schtasks.exe
580	schtasks.exe
1688	schtasks.exe
1120	schtasks.exe
1488	schtasks.exe
588	schtasks.exe
2032	schtasks.exe
1216	schtasks.exe
1592	schtasks.exe
680	schtasks.exe
1740	schtasks.exe
744	schtasks.exe
1708	schtasks.exe
1952	schtasks.exe
1056	schtasks.exe
1312	schtasks.exe
1568	schtasks.exe
1772	schtasks.exe
668	schtasks.exe
1812	schtasks.exe
1260	schtasks.exe
1456	schtasks.exe
1492	schtasks.exe
1980	schtasks.exe
1904	schtasks.exe
1464	schtasks.exe
1516	schtasks.exe
1060	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

pid	process
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe
1048	1e3f692a00a384f021b60e1ac5e23c5c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description pid process

Token: SeDebugPrivilege 1048 1e3f692a00a384f021b60e1ac5e23c5c.exe

description	pid	process
Token: SeDebugPrivilege	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	pid	process	target process
PID 1048 wrote to memory of 1416	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1416	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1416	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1528	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1528	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1528	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1716	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1716	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1716	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1292	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1292	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1292	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1464	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1464	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1464	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1872	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1872	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1872	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1544	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1544	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1544	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1076	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1076	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1076	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1952	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1952	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe
PID 1048 wrote to memory of 1952	1048	1e3f692a00a384f021b60e1ac5e23c5c.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe
"C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe'
2⤵
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe'
2⤵
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'
2⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
2⤵
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\WMIADAP.exe'
2⤵
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'
2⤵
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'
2⤵
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\1e3f692a00a384f021b60e1ac5e23c5c.exe'
2⤵
PID:1076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\dwm.exe'
2⤵
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\csrss.exe'
2⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\csrss.exe'
2⤵
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'
2⤵
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsm.exe'
2⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe'
2⤵
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'
2⤵
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\lsm.exe'
2⤵
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
2⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\WMIADAP.exe'
2⤵
PID:2188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e23ZyOZiTq.bat"
2⤵
PID:2260

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2500

C:\Users\All Users\Microsoft\csrss.exe
"C:\Users\All Users\Microsoft\csrss.exe"
3⤵
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\csrss.exe
Filesize
2.6MB

MD5
a9ec4013d12a2413450967dfdbea1729

SHA1
00932ce076637d6cc7cededc63a5873bf5f0f7ad

SHA256
f5ef77f2bf705476cff7790bb9aef18c3ec50ed904cf384dc63a6faf3401ca71

SHA512
dd785ac82ab2d64282d46dfd0cf5be6d972b46accbbfd64125bf19c03392fb1fbb219c91f3266652b87a47e44700d68c1da35c749a6ce510e2e3af743739feb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e23ZyOZiTq.bat
Filesize
203B

MD5
bc44969b01c7da5c54664b5a83b52841

SHA1
40dd616eb69ec7dbf932bcc81a883b4dd10fa7c9

SHA256
8433f4fd0b7a51faba98713c25d4fa8f2bace1cdc9235ec42afbfcedec97b63c

SHA512
0cc110e7783f4f908454344cdc4334a9438dc345b1a1c2ad3aad9f4d814fdab5013c7c5ea90f2fe441f10965f0f1f60d1e0f6dd02794a6ef929e34e234f151f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
94985de2a88086f642e9943e71afbeb0

SHA1
cc413384a7feeb2eb487864df1b333e93a8c411b

SHA256
8c487c78164fa309d35b0fb20eed84859cebe293832929a78d6ce80921114561

SHA512
2b57c0b0a8a77c367a1a6fa7811d6069320a9d91592c9d6d494b6868d36120dbed60c9e332bfa2ced7576bf371a0fb19aaaef9d07a6a64c451c6fe496ab1051c

Download Submit
C:\Users\All Users\Microsoft\csrss.exe
Filesize
2.6MB

MD5
a9ec4013d12a2413450967dfdbea1729

SHA1
00932ce076637d6cc7cededc63a5873bf5f0f7ad

SHA256
f5ef77f2bf705476cff7790bb9aef18c3ec50ed904cf384dc63a6faf3401ca71

SHA512
dd785ac82ab2d64282d46dfd0cf5be6d972b46accbbfd64125bf19c03392fb1fbb219c91f3266652b87a47e44700d68c1da35c749a6ce510e2e3af743739feb6

Download Submit
memory/552-108-0x0000000000000000-mapping.dmp

Download
memory/552-154-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/552-139-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/680-141-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/680-102-0x0000000000000000-mapping.dmp

Download
memory/680-149-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1048-67-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/1048-69-0x00000000011C0000-0x00000000011C8000-memory.dmp

Filesize
32KB

Download
memory/1048-128-0x000000001B106000-0x000000001B125000-memory.dmp

Filesize
124KB

Download
memory/1048-55-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/1048-57-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1048-56-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1048-54-0x00000000011E0000-0x0000000001484000-memory.dmp

Filesize
2.6MB

Download
memory/1048-58-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/1048-74-0x000000001B106000-0x000000001B125000-memory.dmp

Filesize
124KB

Download
memory/1048-59-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1048-73-0x000000001B106000-0x000000001B125000-memory.dmp

Filesize
124KB

Download
memory/1048-72-0x000000001A8A0000-0x000000001A8AC000-memory.dmp

Filesize
48KB

Download
memory/1048-71-0x000000001A890000-0x000000001A898000-memory.dmp

Filesize
32KB

Download
memory/1048-70-0x00000000011D0000-0x00000000011DE000-memory.dmp

Filesize
56KB

Download
memory/1048-60-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1048-61-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1048-68-0x00000000011B0000-0x00000000011BC000-memory.dmp

Filesize
48KB

Download
memory/1048-62-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/1048-66-0x0000000001170000-0x0000000001182000-memory.dmp

Filesize
72KB

Download
memory/1048-63-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1048-65-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/1048-64-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/1076-160-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1076-84-0x0000000000000000-mapping.dmp

Download
memory/1076-140-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1120-105-0x0000000000000000-mapping.dmp

Download
memory/1120-143-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1120-147-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1120-172-0x000007FEE7750000-0x000007FEE82AD000-memory.dmp

Filesize
11.4MB

Download
memory/1292-96-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1292-78-0x0000000000000000-mapping.dmp

Download
memory/1292-156-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1416-93-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1416-81-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1416-75-0x0000000000000000-mapping.dmp

Download
memory/1416-152-0x000007FEE7750000-0x000007FEE82AD000-memory.dmp

Filesize
11.4MB

Download
memory/1416-171-0x0000000001DE0000-0x0000000001E60000-memory.dmp

Filesize
512KB

Download
memory/1416-153-0x0000000001DE0000-0x0000000001E60000-memory.dmp

Filesize
512KB

Download
memory/1464-79-0x0000000000000000-mapping.dmp

Download
memory/1464-98-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1464-163-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1508-168-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1508-100-0x0000000000000000-mapping.dmp

Download
memory/1508-162-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1528-76-0x0000000000000000-mapping.dmp

Download
memory/1544-82-0x0000000000000000-mapping.dmp

Download
memory/1568-157-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1568-104-0x0000000000000000-mapping.dmp

Download
memory/1568-166-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1716-77-0x0000000000000000-mapping.dmp

Download
memory/1716-164-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1716-144-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1728-165-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1728-158-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1728-95-0x0000000000000000-mapping.dmp

Download
memory/1872-159-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1872-92-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1872-80-0x0000000000000000-mapping.dmp

Download
memory/1952-142-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/1952-155-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1952-89-0x0000000000000000-mapping.dmp

Download
memory/2072-167-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2072-110-0x0000000000000000-mapping.dmp

Download
memory/2072-161-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/2124-114-0x0000000000000000-mapping.dmp

Download
memory/2124-146-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/2124-150-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/2124-170-0x000007FEE7750000-0x000007FEE82AD000-memory.dmp

Filesize
11.4MB

Download
memory/2188-148-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2188-151-0x000007FEE7750000-0x000007FEE82AD000-memory.dmp

Filesize
11.4MB

Download
memory/2188-145-0x000007FEEAC20000-0x000007FEEB643000-memory.dmp

Filesize
10.1MB

Download
memory/2188-115-0x0000000000000000-mapping.dmp

Download
memory/2260-118-0x0000000000000000-mapping.dmp

Download
memory/2500-131-0x0000000000000000-mapping.dmp

Download
memory/2528-138-0x000000001B296000-0x000000001B2B5000-memory.dmp

Filesize
124KB

Download
memory/2528-133-0x0000000000000000-mapping.dmp

Download
memory/2528-135-0x00000000013E0000-0x0000000001684000-memory.dmp

Filesize
2.6MB

Download
memory/2528-136-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/2528-137-0x000000001B296000-0x000000001B2B5000-memory.dmp

Filesize
124KB

Download