dcrat | a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68DFE1E08B8CC7D19FF72334FDD09DB8.exe
Size

4.1MB
MD5

68dfe1e08b8cc7d19ff72334fdd09db8
SHA1

34fb36f9b553c26b0753f540b6a8af1760bb74dc
SHA256

a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7
SHA512

035d3806dafbd5e3a6358072363267178215c74a2f66750792e839d8f24a4244338d1a59862953eb872b5a13ae675647310818a05f1f70206f1ea15157cc8686
SSDEEP

98304:b2iJbE5xmRwLHVZCC55YkdOsfMvBh0ND4wELWZ:yMaxAWHVkq5Y2fMkNDILWZ

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2352	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execomponentWininto.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ÑyberLoad.exe	dcrat
behavioral1/memory/612-9-0x0000000000400000-0x0000000000828000-memory.dmp	dcrat
\Users\Admin\AppData\Local\Temp\CyberLoader.exe	dcrat
behavioral1/memory/1164-20-0x0000000000400000-0x0000000000816000-memory.dmp	dcrat
C:\msPortRefnetdhcp\componentWininto.exe	dcrat
behavioral1/memory/2548-41-0x00000000012F0000-0x000000000165A000-memory.dmp	dcrat
behavioral1/memory/1832-99-0x00000000008D0000-0x0000000000C3A000-memory.dmp	dcrat
behavioral1/memory/2520-114-0x0000000000F20000-0x000000000128A000-memory.dmp	dcrat
behavioral1/memory/2604-146-0x000000001B200000-0x000000001B280000-memory.dmp	dcrat
behavioral1/memory/1712-175-0x00000000002E0000-0x000000000064A000-memory.dmp	dcrat
behavioral1/memory/1712-177-0x000000001B460000-0x000000001B4E0000-memory.dmp	dcrat

Executes dropped EXE 14 IoCs

Processes:

ÑyberLoad.exeMVPLoader.exeCyberLoader.execomponentWininto.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
1164	ÑyberLoad.exe
2460	MVPLoader.exe
2692	CyberLoader.exe
2548	componentWininto.exe
1832	csrss.exe
2520	csrss.exe
1968	csrss.exe
2604	csrss.exe
1648	csrss.exe
1712	csrss.exe
1388	csrss.exe
2700	csrss.exe
1732	csrss.exe
2980	csrss.exe

Loads dropped DLL 6 IoCs

Processes:

68DFE1E08B8CC7D19FF72334FDD09DB8.exeÑyberLoad.execmd.exe

pid process

612 68DFE1E08B8CC7D19FF72334FDD09DB8.exe
612 68DFE1E08B8CC7D19FF72334FDD09DB8.exe
1164 ÑyberLoad.exe
1164 ÑyberLoad.exe
2156 cmd.exe
2156 cmd.exe

pid	process
612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe
612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe
1164	ÑyberLoad.exe
1164	ÑyberLoad.exe
2156	cmd.exe
2156	cmd.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execomponentWininto.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentWininto.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

componentWininto.exe

description ioc process

File created C:\Windows\system\lsass.exe componentWininto.exe
File created C:\Windows\system\6203df4a6bafc7 componentWininto.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\system\lsass.exe	componentWininto.exe
File created	C:\Windows\system\6203df4a6bafc7	componentWininto.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
1920	schtasks.exe
1084	schtasks.exe
2436	schtasks.exe
2660	schtasks.exe
2232	schtasks.exe
2264	schtasks.exe
2720	schtasks.exe
2904	schtasks.exe
2676	schtasks.exe
620	schtasks.exe
2348	schtasks.exe
824	schtasks.exe
2008	schtasks.exe
2316	schtasks.exe
1080	schtasks.exe
1624	schtasks.exe
1492	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

componentWininto.execsrss.exe

pid	process
2548	componentWininto.exe
2548	componentWininto.exe
2548	componentWininto.exe
2548	componentWininto.exe
2548	componentWininto.exe
2548	componentWininto.exe
2548	componentWininto.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe
1832	csrss.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

componentWininto.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2548	componentWininto.exe
Token: SeDebugPrivilege	1832	csrss.exe
Token: SeDebugPrivilege	2520	csrss.exe
Token: SeDebugPrivilege	1968	csrss.exe
Token: SeDebugPrivilege	2604	csrss.exe
Token: SeDebugPrivilege	1648	csrss.exe
Token: SeDebugPrivilege	1712	csrss.exe
Token: SeDebugPrivilege	1388	csrss.exe
Token: SeDebugPrivilege	1732	csrss.exe
Token: SeDebugPrivilege	2980	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

68DFE1E08B8CC7D19FF72334FDD09DB8.exeÑyberLoad.exeCyberLoader.exeWScript.execmd.execomponentWininto.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	process	target process
PID 612 wrote to memory of 1164	612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe	ÑyberLoad.exe
PID 612 wrote to memory of 1164	612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe	ÑyberLoad.exe
PID 612 wrote to memory of 1164	612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe	ÑyberLoad.exe
PID 612 wrote to memory of 1164	612	68DFE1E08B8CC7D19FF72334FDD09DB8.exe	ÑyberLoad.exe
PID 1164 wrote to memory of 2460	1164	ÑyberLoad.exe	MVPLoader.exe
PID 1164 wrote to memory of 2460	1164	ÑyberLoad.exe	MVPLoader.exe
PID 1164 wrote to memory of 2460	1164	ÑyberLoad.exe	MVPLoader.exe
PID 1164 wrote to memory of 2460	1164	ÑyberLoad.exe	MVPLoader.exe
PID 1164 wrote to memory of 2692	1164	ÑyberLoad.exe	CyberLoader.exe
PID 1164 wrote to memory of 2692	1164	ÑyberLoad.exe	CyberLoader.exe
PID 1164 wrote to memory of 2692	1164	ÑyberLoad.exe	CyberLoader.exe
PID 1164 wrote to memory of 2692	1164	ÑyberLoad.exe	CyberLoader.exe
PID 2692 wrote to memory of 2708	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 2708	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 2708	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 2708	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 1892	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 1892	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 1892	2692	CyberLoader.exe	WScript.exe
PID 2692 wrote to memory of 1892	2692	CyberLoader.exe	WScript.exe
PID 2708 wrote to memory of 2156	2708	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2156	2708	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2156	2708	WScript.exe	cmd.exe
PID 2708 wrote to memory of 2156	2708	WScript.exe	cmd.exe
PID 2156 wrote to memory of 2548	2156	cmd.exe	componentWininto.exe
PID 2156 wrote to memory of 2548	2156	cmd.exe	componentWininto.exe
PID 2156 wrote to memory of 2548	2156	cmd.exe	componentWininto.exe
PID 2156 wrote to memory of 2548	2156	cmd.exe	componentWininto.exe
PID 2548 wrote to memory of 1528	2548	componentWininto.exe	cmd.exe
PID 2548 wrote to memory of 1528	2548	componentWininto.exe	cmd.exe
PID 2548 wrote to memory of 1528	2548	componentWininto.exe	cmd.exe
PID 1528 wrote to memory of 1172	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1172	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1172	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 1832	1528	cmd.exe	csrss.exe
PID 1528 wrote to memory of 1832	1528	cmd.exe	csrss.exe
PID 1528 wrote to memory of 1832	1528	cmd.exe	csrss.exe
PID 1832 wrote to memory of 852	1832	csrss.exe	WScript.exe
PID 1832 wrote to memory of 852	1832	csrss.exe	WScript.exe
PID 1832 wrote to memory of 852	1832	csrss.exe	WScript.exe
PID 1832 wrote to memory of 2080	1832	csrss.exe	WScript.exe
PID 1832 wrote to memory of 2080	1832	csrss.exe	WScript.exe
PID 1832 wrote to memory of 2080	1832	csrss.exe	WScript.exe
PID 852 wrote to memory of 2520	852	WScript.exe	csrss.exe
PID 852 wrote to memory of 2520	852	WScript.exe	csrss.exe
PID 852 wrote to memory of 2520	852	WScript.exe	csrss.exe
PID 2520 wrote to memory of 1108	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 1108	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 1108	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 568	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 568	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 568	2520	csrss.exe	WScript.exe
PID 1108 wrote to memory of 1968	1108	WScript.exe	csrss.exe
PID 1108 wrote to memory of 1968	1108	WScript.exe	csrss.exe
PID 1108 wrote to memory of 1968	1108	WScript.exe	csrss.exe
PID 1968 wrote to memory of 1600	1968	csrss.exe	WScript.exe
PID 1968 wrote to memory of 1600	1968	csrss.exe	WScript.exe
PID 1968 wrote to memory of 1600	1968	csrss.exe	WScript.exe
PID 1968 wrote to memory of 1132	1968	csrss.exe	WScript.exe
PID 1968 wrote to memory of 1132	1968	csrss.exe	WScript.exe
PID 1968 wrote to memory of 1132	1968	csrss.exe	WScript.exe
PID 1600 wrote to memory of 2604	1600	WScript.exe	csrss.exe
PID 1600 wrote to memory of 2604	1600	WScript.exe	csrss.exe
PID 1600 wrote to memory of 2604	1600	WScript.exe	csrss.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

componentWininto.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentWininto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68DFE1E08B8CC7D19FF72334FDD09DB8.exe
"C:\Users\Admin\AppData\Local\Temp\68DFE1E08B8CC7D19FF72334FDD09DB8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\ÑyberLoad.exe
"C:\Users\Admin\AppData\Local\Temp\ÑyberLoad.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\MVPLoader.exe
"C:\Users\Admin\AppData\Local\Temp\MVPLoader.exe"
3⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\CyberLoader.exe
"C:\Users\Admin\AppData\Local\Temp\CyberLoader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\msPortRefnetdhcp\zRMFcMzN1094wnGdurNck4fGlt.vbe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\msPortRefnetdhcp\m6JlOKDKnmGOe6a.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\msPortRefnetdhcp\componentWininto.exe
"C:\msPortRefnetdhcp\componentWininto.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3ZyU9bk9ST.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1172

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239a9642-beb1-4063-bf8c-daea332d6351.vbs"
9⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f8102c-8c49-4546-952f-2b23aefea48b.vbs"
11⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1653d71-0374-406b-89f7-c89b8299c51c.vbs"
13⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2966e8f-8ec8-467e-b7eb-070aa17cfdea.vbs"
15⤵
PID:960

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\064fab23-99b5-43bd-b597-de873ad795f6.vbs"
17⤵
PID:1160

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41859c88-e4f8-4078-aac1-89f8d241b744.vbs"
19⤵
PID:2628

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f60d75c-1321-4b34-96d8-05f98c72b9dc.vbs"
21⤵
PID:2476

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad2b3a7-bcd5-431f-bf0a-a808a5507115.vbs"
23⤵
PID:3024

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24da31cb-29c4-45b6-a9b6-6d147028c615.vbs"
25⤵
PID:656

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfad13d2-47ed-4917-98e1-fe72ecad93ef.vbs"
27⤵
PID:2452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca1327e-a374-4bd2-87f5-becb388a3f7c.vbs"
27⤵
PID:2420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93b86da-e136-464a-bc1c-763812a7e4db.vbs"
25⤵
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\753e5185-c82f-407f-8832-372cc688027d.vbs"
23⤵
PID:2824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f9d25a7-e9c2-4c50-b789-3a947178af8c.vbs"
21⤵
PID:2892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f2bc4d-85d7-450f-aa1a-9b002f9a16b8.vbs"
19⤵
PID:1612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623f9a9e-84b2-4c3b-b6bd-b130d19df0c1.vbs"
17⤵
PID:2640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e930480d-f80c-49c2-94d5-c98e2ed040e0.vbs"
15⤵
PID:1812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\931077c9-738f-42ed-84c8-b1cd32316092.vbs"
13⤵
PID:1132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61547f3-68cc-4cde-b490-828909bfc047.vbs"
11⤵
PID:568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6911cfc-80fb-4dce-81f5-cdf4e2a50626.vbs"
9⤵
PID:2080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\msPortRefnetdhcp\file.vbs"
4⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\system\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\msPortRefnetdhcp\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\msPortRefnetdhcp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\msPortRefnetdhcp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\064fab23-99b5-43bd-b597-de873ad795f6.vbs

Filesize
707B

MD5
825fc15c56eb5f90f06425b5bc10fdbb

SHA1
bb95c18f1ccf9ec3ecb2fd9c04568ada807b3aad

SHA256
f0b222b2aad37abad1ec35609b4a76d53c0f8103fc1fa8596dadf898616fb504

SHA512
57d341037d6e44310b413800b8c2abca74e58ec505cb8b2e8c73129dd65e5839dc7e92f2ebdc816b1dfb710a017a09c2fc80c62dea656b9210ee81ae3bfb2332

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f60d75c-1321-4b34-96d8-05f98c72b9dc.vbs

Filesize
707B

MD5
467ebafe5667239cdcd826a8c641737c

SHA1
068ef4e4a62da39e2cb20bcd62afa93e86d0c55c

SHA256
f4111c6522e610dfd85bd84a43a8c19b58bad56ac2bc924b8fcee1035aea99a0

SHA512
0fe0063128bd360da27bdb1dbf995809dc851321f4351bb0b72a35d87906b8cdca0bd18a7d9743caf5714f2780e776553678e6fd177601769d4f7e51428db745

Download Submit
C:\Users\Admin\AppData\Local\Temp\239a9642-beb1-4063-bf8c-daea332d6351.vbs

Filesize
707B

MD5
267bb6c582890309cd809ed13974e239

SHA1
5c9c5661983beb28c387f43309f5e91c4523aedd

SHA256
0159af48270020d31357c4f5cd4d059f3f8dfe03b36a7abb16749257ac6907ba

SHA512
e8593a3f6fae12ee4c695406e5ad7fd6837eb61b59063612f5ef088f4216d21be0777a2a58ca53ac06e200672d9e772ccf52a8f8b819136ab03d6cd1debe6cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\24da31cb-29c4-45b6-a9b6-6d147028c615.vbs

Filesize
707B

MD5
6d750fe84d8a3eee3f78410a8fb94b4f

SHA1
eb93c20703cbcb28ebde7b0e95e2e09e6449d4ce

SHA256
a24f5a0ebfc6ce06d5590a33236345719cd0bf4fd64bdfef3ea6a18aa5e00989

SHA512
306ca14ecefac34e70aeef6d04e4745fcc41d4412dfd02d39dd6316b18bc41a3997852fec8b867cd13c2424bc134336cd3b655fffcab55a883ff573d27b6c5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ZyU9bk9ST.bat

Filesize
196B

MD5
84f8d87dcce4836e58bc55a62bd585e7

SHA1
7d5fe0897b4b102fd0f4a9bf64d4073a1484f809

SHA256
df047b844339f3c96fdb62425c28783870ba48aa9c2072f3dab9016600eefc73

SHA512
9a6c4865905c582a7d4d2007f179291f13d6c708c5cf7311a15dce98840e775e3e1844f6344d6af624464b8c3461fbe7050f29f8419b05c0427cd8d843433a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\41859c88-e4f8-4078-aac1-89f8d241b744.vbs

Filesize
707B

MD5
15a6bbe84ac90c2baca34bc4c127a83b

SHA1
35a241f96ac46114e91e40a843da6fd08875ddc3

SHA256
db70d74461b99ee0d7c7bd7fc6cc846c5b011477aae559ea55d95c1e170ac8a1

SHA512
d3e0f812bf9754d97cdfd6053c8c5a48c45f08efd561acc43b0b9a9a9c9fe33af1d8abe5aaa296912ebb5c4cf5bff21f452b7c6d7f43c43f90d848231d46ae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfad13d2-47ed-4917-98e1-fe72ecad93ef.vbs

Filesize
707B

MD5
d02c6708c1ac64370a617e461e8c441e

SHA1
83c8b62817ef985c2c43e1b7c8b3f36ae969d459

SHA256
3cf890b3d936da4a25d8f2bae3cd4245e6c3e4f36c450e7a218fc8adb06a4c39

SHA512
62e2733c6a1f8acf406fde808d8a021809141a93270550aae83b350266eebbddfa310d59367c0feb715a8d2eca2ae6aee6591ecc8d3cec2822d60fab56fc63d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2966e8f-8ec8-467e-b7eb-070aa17cfdea.vbs

Filesize
707B

MD5
8ecbeb35132f4ced5e7eb580489e4176

SHA1
db1007b4a9db4102c104c6d8cabad64ab4aa9226

SHA256
e89df3e202137734f85d4966b6e1c27ace74882955948bccc84ec57bd6beb143

SHA512
e87a2033ecc3b95dcfc4754f00b750330e90dff47add61d58caa2b000106ded8c13964779fc0f7ed45a6c1602fdcaaa08771a4aa3ca3727d3e6addc09c00727b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3f8102c-8c49-4546-952f-2b23aefea48b.vbs

Filesize
707B

MD5
59a951695114e70d566169c8937a4d18

SHA1
a4bea0d7301ca68c61d3290a2d94df91d87a679d

SHA256
e33164df0177ef681e19822bb869e155b09da0c5172ea816f38e101fa822088b

SHA512
5dcf081c3cdffaabc9c76ed815ee5b1af2f14fc4a5911111472100f41f2dbc0ab414fdfd28a726fbe42becc61837f9df494d10c9795653001142a7c1629505f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1653d71-0374-406b-89f7-c89b8299c51c.vbs

Filesize
707B

MD5
d27089ed5bc2b9b5c2ae1789d3f98168

SHA1
f32d437298bc05365a8fdf76ca381905d394a0d1

SHA256
8abec9bf4e19c3a78f751d624b4e3c3a93bfe83c169ca2c6d577fa0629c6f65c

SHA512
a092e05f91b9fd8f91280b50dba7185fcb72ef885a5afd64602a14b83c469b60f2de1a1d34527188df0838dda2995bccae802d5a61032e6fb6c0f16a8b318501

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6911cfc-80fb-4dce-81f5-cdf4e2a50626.vbs

Filesize
483B

MD5
227374c741172992d3ad47f121d3bc4f

SHA1
4bc9567807eb953968f74e03f3c9382f06faf1dc

SHA256
2e1b500c09567ae72b9ff2b0add8cf47d28be52e0db8c1aa92b470718c5f8a72

SHA512
a5ccdd5ea33368eef53e5f549fdcb1ad6b51742b19d2a0711d3487991f213e8d85dd6a7fbb8dec45625831c6cf6c9f2099e33b6b516f88c258b75a5a166aa1cd

Download Submit
C:\msPortRefnetdhcp\componentWininto.exe

Filesize
3.4MB

MD5
53758cea18d59182a809208313d5042a

SHA1
0234e732dea00414c79ca2ce8a55f61843f282d2

SHA256
5cae0557099a16d45a03f05f95390ec5bd5ba5a44edd73286e741fe09f93bddf

SHA512
3d7900c7a6060367beaf7abde33027958d28091b001d25c395d191f0cf442216d5cacff4a123bbd1ae767f471ae3a517659f9c42798be8c772f2f7411a7b952e

Download Submit
C:\msPortRefnetdhcp\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\msPortRefnetdhcp\m6JlOKDKnmGOe6a.bat

Filesize
42B

MD5
b025044714b20d9d7069a2c2f55ddf04

SHA1
36d7dce3f0fa6a1bd86e795bcde3c9a1b2e9a7f6

SHA256
e6d9546e0e8d9b92ef203f408f33722c3b4ffcd2f400aa08bb0b49ac182b69b3

SHA512
3a24c4ad9c1b298a97c5d4e994233a84dc27d4c0d612cc8d8e94cbd16e3ceaec96d66d4503a6a506644de509a3509f53ea122bf92cc09de087254f40b5a1c65c

Download Submit
C:\msPortRefnetdhcp\zRMFcMzN1094wnGdurNck4fGlt.vbe

Filesize
208B

MD5
c7c964910bef0490e2a401349c25126b

SHA1
ba3581dc5945f35f83bc216fc5a1decfbe6e47ef

SHA256
d41a100832e46a8928ad06780a40e08f147e97ac014170ca48779f98f4d5b7ff

SHA512
198c571a056d5896928b5a93c918e9f7407dd0d5e39893db39a1dbcad9d6ec2df63925cbe69346f8f4681bfe37c23844feee5cbd1f45bc9c48796aef1d66372f

Download Submit
\Users\Admin\AppData\Local\Temp\CyberLoader.exe

Filesize
3.7MB

MD5
1b4cf2a40e1387cf97dfbe1303c9619a

SHA1
a3f98a0ca89495958f6171f775aa6b96bdf6e0de

SHA256
6e7050be5d9e4042ba632c228890329f41550608b6de25094bdf5e4ae9448833

SHA512
a45b2066cc48cfab284fd61ab5413ba0368bb457af22425a8b469a83ca4ff75f3378b43dc6ce988caac98b8272333e31e590a3c2ae8a3ffd4b1fe9199f5b8400

Download Submit
\Users\Admin\AppData\Local\Temp\MVPLoader.exe

Filesize
340KB

MD5
f1f43cf5a79e51ba13ef602b25c63a9e

SHA1
df986285c4e6f2355b0f528a13063f5d855a250c

SHA256
4dff4a3558b40b19e961fc8adc45e00b2b7dbd6ebabbc219d1446bc6ca5350e8

SHA512
6867d3d6d01a4a170e4d5ab9115408a97c7e5a00730632259d9afae7b688f214c455c014bdff2fc90185dd92f96c06d0c13f39ab09535e1add9fb7ea49ec5384

Download Submit
\Users\Admin\AppData\Local\Temp\ÑyberLoad.exe

Filesize
4.1MB

MD5
a84070968353edcc9559f54deedd8fe9

SHA1
27187ea020c4fcfad6783debbea35883b1125538

SHA256
6b1ff20c95ab7ea0d16f441c6726f6112bbae1c620696f2e9bec01b4926dc1f4

SHA512
134a25e91d0b088a9dd57ce0310a1f164f6586624dd71a02001ece26b70d3d8fd201ece35b5a9b15764f983cbf9da099b8f13b5e99584ada093f12c506a2500e

Download Submit
memory/612-9-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/1164-20-0x0000000000400000-0x0000000000816000-memory.dmp

Filesize
4.1MB

Download
memory/1648-162-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1648-161-0x000007FEF4880000-0x000007FEF526C000-memory.dmp

Filesize
9.9MB

Download
memory/1648-173-0x000007FEF4880000-0x000007FEF526C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-175-0x00000000002E0000-0x000000000064A000-memory.dmp

Filesize
3.4MB

Download
memory/1712-176-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-177-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1832-100-0x000007FEF5110000-0x000007FEF5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/1832-112-0x000007FEF5110000-0x000007FEF5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/1832-99-0x00000000008D0000-0x0000000000C3A000-memory.dmp

Filesize
3.4MB

Download
memory/1832-101-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/1832-102-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1968-132-0x0000000000EA0000-0x0000000000EF6000-memory.dmp

Filesize
344KB

Download
memory/1968-130-0x000007FEF4880000-0x000007FEF526C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-131-0x000000001AB70000-0x000000001ABF0000-memory.dmp

Filesize
512KB

Download
memory/1968-143-0x000007FEF4880000-0x000007FEF526C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-114-0x0000000000F20000-0x000000000128A000-memory.dmp

Filesize
3.4MB

Download
memory/2520-115-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-116-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/2520-117-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2520-128-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-57-0x0000000001230000-0x0000000001286000-memory.dmp

Filesize
344KB

Download
memory/2548-62-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/2548-74-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/2548-72-0x000000001AF60000-0x000000001AF68000-memory.dmp

Filesize
32KB

Download
memory/2548-70-0x000000001AB70000-0x000000001AB7A000-memory.dmp

Filesize
40KB

Download
memory/2548-69-0x000000001AB60000-0x000000001AB6C000-memory.dmp

Filesize
48KB

Download
memory/2548-68-0x000000001AB50000-0x000000001AB58000-memory.dmp

Filesize
32KB

Download
memory/2548-78-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/2548-96-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-77-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

Filesize
40KB

Download
memory/2548-75-0x000000001AF90000-0x000000001AF9C000-memory.dmp

Filesize
48KB

Download
memory/2548-73-0x000000001AF70000-0x000000001AF7E000-memory.dmp

Filesize
56KB

Download
memory/2548-71-0x000000001AB80000-0x000000001AB8E000-memory.dmp

Filesize
56KB

Download
memory/2548-64-0x00000000012C0000-0x00000000012CC000-memory.dmp

Filesize
48KB

Download
memory/2548-67-0x000000001AB40000-0x000000001AB4C000-memory.dmp

Filesize
48KB

Download
memory/2548-65-0x00000000012D0000-0x00000000012D8000-memory.dmp

Filesize
32KB

Download
memory/2548-66-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/2548-63-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/2548-46-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2548-59-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2548-60-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/2548-76-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/2548-61-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2548-48-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2548-58-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2548-50-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/2548-51-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2548-41-0x00000000012F0000-0x000000000165A000-memory.dmp

Filesize
3.4MB

Download
memory/2548-42-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-43-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2548-44-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2548-56-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/2548-45-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2548-55-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/2548-54-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/2548-53-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2548-52-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2548-49-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2548-47-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2604-159-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-148-0x0000000000BF0000-0x0000000000C46000-memory.dmp

Filesize
344KB

Download
memory/2604-147-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2604-146-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/2604-145-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

Filesize
9.9MB

Download