Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/03/2024, 14:46
Behavioral task
behavioral1
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1994f3ef2118aeecbb74e6c8976fd47b.exe
Resource
win10v2004-20240319-en
General
-
Target
1994f3ef2118aeecbb74e6c8976fd47b.exe
-
Size
3.2MB
-
MD5
1994f3ef2118aeecbb74e6c8976fd47b
-
SHA1
8f157fc5c2af51db24b66085f29d3c1240be36b2
-
SHA256
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
-
SHA512
48837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
SSDEEP
49152:a4iktlQ2cj9ScADsiz76m0JVqeUYfHuv4mDrsdWE2hnKQ9nO1zdhBFMGIEdY/0/w:aXktlQQsE49UguAiu2cp1zjLddZ9QY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2440 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2440 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
resource yara_rule behavioral1/memory/2676-0-0x0000000001390000-0x00000000016C0000-memory.dmp dcrat behavioral1/files/0x000600000001745e-43.dat dcrat behavioral1/memory/2568-79-0x000000001AE50000-0x000000001AED0000-memory.dmp dcrat behavioral1/files/0x003200000001630b-90.dat dcrat behavioral1/memory/1992-92-0x000000001AF90000-0x000000001B010000-memory.dmp dcrat behavioral1/memory/1860-106-0x000000001B200000-0x000000001B280000-memory.dmp dcrat behavioral1/memory/1476-150-0x000000001B6A0000-0x000000001B720000-memory.dmp dcrat behavioral1/files/0x003200000001630b-164.dat dcrat behavioral1/files/0x00060000000191ed-182.dat dcrat behavioral1/memory/2732-205-0x00000000003D0000-0x0000000000700000-memory.dmp dcrat behavioral1/memory/1748-220-0x0000000000BA0000-0x0000000000ED0000-memory.dmp dcrat behavioral1/files/0x00060000000191ed-226.dat dcrat -
Executes dropped EXE 10 IoCs
pid Process 2568 csrss.exe 1992 csrss.exe 1860 csrss.exe 2936 csrss.exe 1476 csrss.exe 2652 csrss.exe 2560 csrss.exe 2732 csrss.exe 1748 csrss.exe 2676 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1994f3ef2118aeecbb74e6c8976fd47b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\Common Files\Services\csrss.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\Windows Photo Viewer\en-US\wininit.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\Windows Defender\csrss.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\42af1c969fbb7b 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\Windows Photo Viewer\en-US\56085415360792 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Google\Update\Offline\c5b4cb5e9653cc 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Google\Update\Offline\services.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\5940a34987c991 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\Common Files\Services\886983d96e3d3e 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files\Windows Defender\886983d96e3d3e 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Program Files (x86)\Common Files\DESIGNER\5d3a782401ab58 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Boot\Idle.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\schemas\wininit.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File opened for modification C:\Windows\schemas\wininit.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\schemas\56085415360792 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\ServiceProfiles\lsass.exe 1994f3ef2118aeecbb74e6c8976fd47b.exe File created C:\Windows\ServiceProfiles\6203df4a6bafc7 1994f3ef2118aeecbb74e6c8976fd47b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2952 schtasks.exe 1904 schtasks.exe 1604 schtasks.exe 2184 schtasks.exe 2600 schtasks.exe 2652 schtasks.exe 2592 schtasks.exe 2292 schtasks.exe 488 schtasks.exe 1540 schtasks.exe 1232 schtasks.exe 1696 schtasks.exe 2856 schtasks.exe 2908 schtasks.exe 760 schtasks.exe 2604 schtasks.exe 2268 schtasks.exe 2140 schtasks.exe 2724 schtasks.exe 384 schtasks.exe 2128 schtasks.exe 1656 schtasks.exe 884 schtasks.exe 1208 schtasks.exe 2172 schtasks.exe 2896 schtasks.exe 996 schtasks.exe 2576 schtasks.exe 2104 schtasks.exe 1060 schtasks.exe 1352 schtasks.exe 2000 schtasks.exe 2816 schtasks.exe 2996 schtasks.exe 2408 schtasks.exe 412 schtasks.exe 3068 schtasks.exe 2348 schtasks.exe 2056 schtasks.exe 660 schtasks.exe 1856 schtasks.exe 916 schtasks.exe 1368 schtasks.exe 2196 schtasks.exe 1900 schtasks.exe 2372 schtasks.exe 292 schtasks.exe 1620 schtasks.exe 1092 schtasks.exe 2740 schtasks.exe 1560 schtasks.exe 2180 schtasks.exe 2340 schtasks.exe 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe 2568 csrss.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe Token: SeDebugPrivilege 2568 csrss.exe Token: SeDebugPrivilege 1992 csrss.exe Token: SeDebugPrivilege 1860 csrss.exe Token: SeDebugPrivilege 2936 csrss.exe Token: SeDebugPrivilege 1476 csrss.exe Token: SeDebugPrivilege 2652 csrss.exe Token: SeDebugPrivilege 2560 csrss.exe Token: SeDebugPrivilege 2732 csrss.exe Token: SeDebugPrivilege 1748 csrss.exe Token: SeDebugPrivilege 2676 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2568 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 83 PID 2676 wrote to memory of 2568 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 83 PID 2676 wrote to memory of 2568 2676 1994f3ef2118aeecbb74e6c8976fd47b.exe 83 PID 2568 wrote to memory of 1892 2568 csrss.exe 84 PID 2568 wrote to memory of 1892 2568 csrss.exe 84 PID 2568 wrote to memory of 1892 2568 csrss.exe 84 PID 2568 wrote to memory of 1752 2568 csrss.exe 85 PID 2568 wrote to memory of 1752 2568 csrss.exe 85 PID 2568 wrote to memory of 1752 2568 csrss.exe 85 PID 1892 wrote to memory of 1992 1892 WScript.exe 86 PID 1892 wrote to memory of 1992 1892 WScript.exe 86 PID 1892 wrote to memory of 1992 1892 WScript.exe 86 PID 1992 wrote to memory of 592 1992 csrss.exe 87 PID 1992 wrote to memory of 592 1992 csrss.exe 87 PID 1992 wrote to memory of 592 1992 csrss.exe 87 PID 1992 wrote to memory of 1096 1992 csrss.exe 88 PID 1992 wrote to memory of 1096 1992 csrss.exe 88 PID 1992 wrote to memory of 1096 1992 csrss.exe 88 PID 592 wrote to memory of 1860 592 WScript.exe 89 PID 592 wrote to memory of 1860 592 WScript.exe 89 PID 592 wrote to memory of 1860 592 WScript.exe 89 PID 1860 wrote to memory of 2536 1860 csrss.exe 90 PID 1860 wrote to memory of 2536 1860 csrss.exe 90 PID 1860 wrote to memory of 2536 1860 csrss.exe 90 PID 1860 wrote to memory of 2656 1860 csrss.exe 91 PID 1860 wrote to memory of 2656 1860 csrss.exe 91 PID 1860 wrote to memory of 2656 1860 csrss.exe 91 PID 2536 wrote to memory of 2936 2536 WScript.exe 94 PID 2536 wrote to memory of 2936 2536 WScript.exe 94 PID 2536 wrote to memory of 2936 2536 WScript.exe 94 PID 2936 wrote to memory of 2036 2936 csrss.exe 95 PID 2936 wrote to memory of 2036 2936 csrss.exe 95 PID 2936 wrote to memory of 2036 2936 csrss.exe 95 PID 2936 wrote to memory of 2680 2936 csrss.exe 96 PID 2936 wrote to memory of 2680 2936 csrss.exe 96 PID 2936 wrote to memory of 2680 2936 csrss.exe 96 PID 2036 wrote to memory of 1476 2036 WScript.exe 97 PID 2036 wrote to memory of 1476 2036 WScript.exe 97 PID 2036 wrote to memory of 1476 2036 WScript.exe 97 PID 1476 wrote to memory of 2308 1476 csrss.exe 98 PID 1476 wrote to memory of 2308 1476 csrss.exe 98 PID 1476 wrote to memory of 2308 1476 csrss.exe 98 PID 1476 wrote to memory of 1940 1476 csrss.exe 99 PID 1476 wrote to memory of 1940 1476 csrss.exe 99 PID 1476 wrote to memory of 1940 1476 csrss.exe 99 PID 2308 wrote to memory of 2652 2308 WScript.exe 100 PID 2308 wrote to memory of 2652 2308 WScript.exe 100 PID 2308 wrote to memory of 2652 2308 WScript.exe 100 PID 2652 wrote to memory of 2848 2652 csrss.exe 101 PID 2652 wrote to memory of 2848 2652 csrss.exe 101 PID 2652 wrote to memory of 2848 2652 csrss.exe 101 PID 2652 wrote to memory of 1232 2652 csrss.exe 102 PID 2652 wrote to memory of 1232 2652 csrss.exe 102 PID 2652 wrote to memory of 1232 2652 csrss.exe 102 PID 2848 wrote to memory of 2560 2848 WScript.exe 103 PID 2848 wrote to memory of 2560 2848 WScript.exe 103 PID 2848 wrote to memory of 2560 2848 WScript.exe 103 PID 2560 wrote to memory of 2208 2560 csrss.exe 104 PID 2560 wrote to memory of 2208 2560 csrss.exe 104 PID 2560 wrote to memory of 2208 2560 csrss.exe 104 PID 2560 wrote to memory of 2716 2560 csrss.exe 105 PID 2560 wrote to memory of 2716 2560 csrss.exe 105 PID 2560 wrote to memory of 2716 2560 csrss.exe 105 PID 2208 wrote to memory of 2732 2208 WScript.exe 106 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1994f3ef2118aeecbb74e6c8976fd47b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"C:\Users\Admin\AppData\Local\Temp\1994f3ef2118aeecbb74e6c8976fd47b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe"C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\114f6a21-7494-4334-8074-77afa40c308e.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aabf0ab-2ca8-4e25-9e90-fd6359e0ce4e.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3276c21-a30b-480f-b54f-4854570b9b51.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78dd1a97-3ac8-4cc1-8f52-8615fffd81a1.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\650f3208-2d92-41fa-96f3-520d311947f0.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a49d39-dce3-4f3a-bdbc-b647d87d8d6d.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d3ea02f-765c-4bcb-a91b-73c8b711f941.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\109399d3-78ce-4cb5-bca2-09e3541df3ae.vbs"17⤵PID:2996
-
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa59f44-724d-4e15-87e1-493a539137b7.vbs"19⤵PID:3056
-
C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exeC:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01196dfb-b8d2-435f-a7bf-fdc36e7d7b1f.vbs"21⤵PID:1608
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bed549e-638a-4ba2-9792-bccf9ae0fb92.vbs"21⤵PID:2868
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7601085-0ccb-4b87-b1f9-0c1ddc9f49a2.vbs"19⤵PID:2400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45f7fb4b-c75e-405d-a081-ffd2ead2119e.vbs"17⤵PID:2552
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a51dcd-c12d-4d29-8c60-595d3441931e.vbs"15⤵PID:2716
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c4dbd5-da1b-4890-9e41-152744547ea3.vbs"13⤵PID:1232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f5e63ea-683c-4d09-9c47-0e828b4c152b.vbs"11⤵PID:1940
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0df75ae-27fe-4fed-8cef-ce67e8e60432.vbs"9⤵PID:2680
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55968cf4-b7c3-4757-8ccd-92ab406f18fc.vbs"7⤵PID:2656
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c646af0-a85d-4c51-80d3-efd1ec323331.vbs"5⤵PID:1096
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8062ef-78ba-4bf9-86a7-d3d807d11357.vbs"3⤵PID:1752
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Acrobat\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "1994f3ef2118aeecbb74e6c8976fd47b1" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\1994f3ef2118aeecbb74e6c8976fd47b.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51994f3ef2118aeecbb74e6c8976fd47b
SHA18f157fc5c2af51db24b66085f29d3c1240be36b2
SHA2565d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
SHA51248837e3aa613c2864b6ce2470a9297cac0ca04b58493e322b54f1d76bc3c3778cbebd63bb0aea9232493dd0ae065094f937e55ae4024b186332c277c28b4f15a
-
Filesize
3.1MB
MD510351094464ff5a8cec8d7ab586cc198
SHA159e091db9170a890882f347d376f77cd26b57b53
SHA2562cd34c1d385c590fcd7a314fbf6931b20f2e35bc8307a26e7377ea8bd5497c14
SHA512bf0a8d5aa65e51abedc206d10b6fb0941d2ebd18638a4405cd33c927454c3f74307667ddb927258ffe561c5c65fbffcc5763423284a80281714048987ebd3962
-
Filesize
2.5MB
MD535d97d3770b9081228c1c11884ccb193
SHA1d2f807f3cebf4338aaa99426b6d7f09d337493c8
SHA2568a01c02e878894b6fa1fd57fd61abf9f43f8e85a572218f9f08574fa76c5d4eb
SHA512df5bf9f3cc64ecf1ed04f4ce5fd235f5d90db0e0c67c3ef62fa34cbaaa1851b2f4db09f292b7e32b73709be2847cb83601f28212a1861a60d722289e09b57b98
-
Filesize
734B
MD56dd696f9085432fda768a0033f9661ca
SHA1acb7102e9fff04900d94169622a73f2a16aca22d
SHA25650872a4afa4768b4e5fee4d738aa6360c90a61c992680c5e09d56e0ba7745687
SHA512c2526c5e1ccb6a1e1b0f9687ba2cee261d65045971ed7c1713cebd718de5a6c377adebff55f529db886f4b05f44ba6f912aa9526de8a18973efa1d2e21b4cb2a
-
Filesize
734B
MD5b4f6ad5e5ef28dca36d075c4d7027e82
SHA115fff1f951c0d1211223a0db25213bc58099dd30
SHA256200be860975db79d2eb31466870d1f6bb040f382416cc9d56cf095099a6df870
SHA51265da3b542f00b58003b196063344428eeb1889fa1a4ebfc02e10b13e8f888d8eed54c40b2067b3fa4261491aa9d0919145075c8ac983d0b748f39d2e03fb5580
-
Filesize
734B
MD51e793a217e27feb8c28e54428c6acdf4
SHA1127fbec65344c4fc9bfbac54905a663dfcdf6a38
SHA256d4aeb506948864d0723e9d740d694d3d14817d2df0c5133c2f3252875abaa252
SHA512e6cb8cac037246191f99f1f0d1e4cee7771a0fefb3a63e9e1d312be64d004f4eb13d218a6ee49d1463efb753c4bff8a6fab07f8ff656a40f887a9f31cecba690
-
Filesize
734B
MD586ab4d9e0324a2786e7414727ce64a76
SHA191c0d4e4329a4cb2dc01dc83dee3dd7aad4e402b
SHA2567c45823b68ed04358ed04adca57f340afe1d483648349fa58f1c98d511806d33
SHA512f163de95bcaf3d26414c7c226424f1a44a7108a61d84b0c9b188ab684b9808316d8df53d729150c93463d50e33de58cc16966d8d147ec75fa8d116075dfb5b66
-
Filesize
734B
MD502e08fa91fcbf7b5df964fb8a284ab8c
SHA1783e2f22c46fd89591622c044b1f64f52081dedc
SHA256beeb9afd03e84713e6d5ad1500f513ebf0a309da22b765d0ff6d11361dd064f1
SHA5124d3ca10c987f032c52464c899b3637f13f477ce88a2223104546e99cd84a82113ee85ff7d7fa05d333c66d0f2f76955c0e07acfeec6ff4838936342a9e6e1c40
-
Filesize
734B
MD5ed95df099d614670df725b0430e3a6ce
SHA118a2b08f3cb7b4b11605e59a717a6f14e9e2035d
SHA2561d8a555741df16a940c792954c36b5503e577ab4cfc6916095c170da88998e63
SHA512c2dde5e187c809f60cbb1e25211c7ff14bd2de1b132b6f5862d2606348092a95495491401d8a3df271d3e40667fd9430ad0e8d3749c32495059a6b71ba05f57f
-
Filesize
510B
MD5817b1cccd60b9a12641d5e89d22983fa
SHA127c93b7eb31bbb6f944635795e10966f5e04213c
SHA256852f4463efbe49f9f2181c83d1142359f6ab212727f70ec8d810a6b64c545058
SHA5120f9563b9f91f262a87e346682dbd5db3749c830d9f69fec0e9d64bcd8f7b656d71442afd97fc27233670502e41f8e114255c253b26b9c755c2674b5fb3066b97
-
Filesize
734B
MD54c84ea20314ff32ecd06a47f1ff7824c
SHA14cc0156643924f0c0b9eef8055801433c41cf90d
SHA256e046cc83badecf4899984d914fca570a4a5b1d6cf00966e81b8f0bf22b54723a
SHA5125be128874bbac2fd502f71849d175a57accce63f0cb15e6132a22783730b194e6e3b37bb8ccf05d9b7fe82e0c0748da045f863e3fc8f8c046e55c3c79c79c2a4
-
Filesize
3.1MB
MD59c554caca3712db2ad77e1a7cb574921
SHA1de05ba74f605e2b8054545d80a2d3a21dbe99c75
SHA256a3e3805944e87b75326a843ea6c70c52abbded32b3baef936c8fd5e65c7353ad
SHA51265d4abd141e641bf40eed7f7bc977352afe5cef8e030a60787aec90b3f21e8f8eaf7e196b4c0c04c4a4ff580eb3f74ac049f9775ef04ada59c526bc9aae51f2c
-
Filesize
2.1MB
MD58030330e60bec6185afed4e67a094036
SHA1a6b170ae88b4051846ccab1b1a3892c6099ef13a
SHA25685e2ddde0bc6481027b6a58de55fa339696e1faa5e0810e0e8babde62a8a8534
SHA5120fe1964f31af7c1cfdc3276fff4ef8d1649a7f570599d4c6a82030c7a49c81461585b5848afc42dff5bb77aa44a98bbb29f7d781caf6c34c8f0fdf2e0ef91502
-
Filesize
734B
MD57b751d2f8958686f4fceb031afaf331e
SHA13f672fc64bb6904435c854413a63dfd3e0d8d1a8
SHA25622f9ae24ca945b82589c6d3fc23127962a51c6dcb9eff9b114bc76058eadeae3
SHA51230f9d9361c97da2e3ca46fae88b4ac64de3cf157a530f7974f0d3fbacc800572006a46593656df5e6d5075d830f5cdd67adf6a57ed3c0f1e102cf479e009eabf
-
Filesize
734B
MD59009b7d6171a0ea8146e296b7c83eb21
SHA199621d9fc21c0707d74cfe985fea9d403005158e
SHA2568fef1fd376340f2f1c9e0851e9306e3e73dc5384aaf329347a680656987cdd7a
SHA512f21505edd15d3937c5fd48a604584ac84c761ec33f2c1921f3f65d8bbb53ffa2b041b1c06309dc21b5984b8143ded3935698043d35d181880685801ec1172b99
-
Filesize
734B
MD54ed06989d56ef0235b5162584d532aab
SHA1b8a3a00f02f045b38c322df199278f50a7877810
SHA256a84c7a632357b0f577f1f3e3ddd9975a2f0f8b46799fb8e95333d960f469d4ef
SHA512ff8e54c84c7622bbd83e1145335a98176b721d4ee737ab5091b670008eab2ec7473bde196b9cc5ff6be04561002fb339230a3b917dcdf936f71a4c397c2149aa