Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 23:01
Behavioral task
behavioral1
Sample
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
Resource
win10v2004-20240508-en
General
-
Target
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe
-
Size
1.2MB
-
MD5
7b05cf7f9e8162f55d50f10f711df29a
-
SHA1
6c077351d11f6069067d69b6ece6d0989e972c99
-
SHA256
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
-
SHA512
275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8
-
SSDEEP
24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4732 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 1948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 1948 schtasks.exe -
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Processes:
resource yara_rule behavioral2/memory/4392-1-0x0000000000100000-0x000000000023A000-memory.dmp dcrat C:\Windows\CbsTemp\explorer.exe dcrat C:\Users\Admin\Downloads\fontdrvhost.exe dcrat -
Detects executables containing bas64 encoded gzip files 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-1-0x0000000000100000-0x000000000023A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File C:\Windows\CbsTemp\explorer.exe INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File C:\Users\Admin\Downloads\fontdrvhost.exe INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File -
Detects executables packed with SmartAssembly 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-6-0x0000000002490000-0x00000000024A0000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-9-0x00000000024D0000-0x00000000024DA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-14-0x000000001AF50000-0x000000001AF5C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-11-0x000000001AF20000-0x000000001AF2C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-16-0x000000001AF70000-0x000000001AF7A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-18-0x000000001AF90000-0x000000001AF9C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4392-20-0x000000001AFB0000-0x000000001AFBA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 12 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 2300 csrss.exe 1412 csrss.exe 5076 csrss.exe 1084 csrss.exe 4648 csrss.exe 4432 csrss.exe 5096 csrss.exe 1456 csrss.exe 5076 csrss.exe 1840 csrss.exe 4172 csrss.exe 3500 csrss.exe -
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 12 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\ea1d8f6d871115 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\Microsoft Office 15\dllhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX6952.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX74E0.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files\Microsoft Office 15\dllhost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files\Microsoft Office 15\5940a34987c991 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Program Files\Microsoft Office 15\ClientX64\0a1fd5f707cd16 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\Microsoft Office 15\RCX6344.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe -
Drops file in Windows directory 25 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exedescription ioc process File created C:\Windows\InputMethod\6203df4a6bafc7 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\GameBarPresenceWriter\RCX5F3B.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\PolicyDefinitions\Registry.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\WaaS\services\sysmon.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\System\9e8d7a4ca61bd9 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\PolicyDefinitions\ee2ad38f3d4382 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\CbsTemp\RCX613F.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\RCX725E.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\System\RuntimeBroker.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\InputMethod\RCX6DD8.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\CbsTemp\explorer.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\PolicyDefinitions\RCX5B32.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\System\RCX592D.tmp 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\CbsTemp\explorer.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\System\RuntimeBroker.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\security\ApplicationId\PolicyManagement\eddb19405b7ce1 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\InputMethod\lsass.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\CbsTemp\7a0fd90576e088 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\InputMethod\lsass.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File opened for modification C:\Windows\PolicyDefinitions\Registry.exe 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe File created C:\Windows\GameBarPresenceWriter\e6c9b481da804f 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 876 schtasks.exe 1040 schtasks.exe 4060 schtasks.exe 2548 schtasks.exe 400 schtasks.exe 4848 schtasks.exe 5092 schtasks.exe 2476 schtasks.exe 3228 schtasks.exe 4712 schtasks.exe 4656 schtasks.exe 2424 schtasks.exe 2624 schtasks.exe 1536 schtasks.exe 1576 schtasks.exe 3248 schtasks.exe 2920 schtasks.exe 3924 schtasks.exe 216 schtasks.exe 2500 schtasks.exe 2776 schtasks.exe 3612 schtasks.exe 1752 schtasks.exe 3368 schtasks.exe 1028 schtasks.exe 3320 schtasks.exe 4692 schtasks.exe 1748 schtasks.exe 1416 schtasks.exe 2376 schtasks.exe 4232 schtasks.exe 5028 schtasks.exe 1584 schtasks.exe 4732 schtasks.exe 4080 schtasks.exe 1012 schtasks.exe 3720 schtasks.exe 1916 schtasks.exe 2060 schtasks.exe 4600 schtasks.exe 2620 schtasks.exe 3060 schtasks.exe 3020 schtasks.exe 880 schtasks.exe 4920 schtasks.exe -
Modifies registry class 13 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.execsrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.exepid process 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe 2300 csrss.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Token: SeDebugPrivilege 2300 csrss.exe Token: SeDebugPrivilege 1412 csrss.exe Token: SeDebugPrivilege 5076 csrss.exe Token: SeDebugPrivilege 1084 csrss.exe Token: SeDebugPrivilege 4648 csrss.exe Token: SeDebugPrivilege 4432 csrss.exe Token: SeDebugPrivilege 5096 csrss.exe Token: SeDebugPrivilege 1456 csrss.exe Token: SeDebugPrivilege 5076 csrss.exe Token: SeDebugPrivilege 1840 csrss.exe Token: SeDebugPrivilege 4172 csrss.exe Token: SeDebugPrivilege 3500 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exedescription pid process target process PID 4392 wrote to memory of 3784 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe cmd.exe PID 4392 wrote to memory of 3784 4392 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe cmd.exe PID 3784 wrote to memory of 4624 3784 cmd.exe w32tm.exe PID 3784 wrote to memory of 4624 3784 cmd.exe w32tm.exe PID 3784 wrote to memory of 2300 3784 cmd.exe csrss.exe PID 3784 wrote to memory of 2300 3784 cmd.exe csrss.exe PID 2300 wrote to memory of 3232 2300 csrss.exe WScript.exe PID 2300 wrote to memory of 3232 2300 csrss.exe WScript.exe PID 2300 wrote to memory of 2376 2300 csrss.exe WScript.exe PID 2300 wrote to memory of 2376 2300 csrss.exe WScript.exe PID 3232 wrote to memory of 1412 3232 WScript.exe csrss.exe PID 3232 wrote to memory of 1412 3232 WScript.exe csrss.exe PID 1412 wrote to memory of 2172 1412 csrss.exe WScript.exe PID 1412 wrote to memory of 2172 1412 csrss.exe WScript.exe PID 1412 wrote to memory of 3344 1412 csrss.exe WScript.exe PID 1412 wrote to memory of 3344 1412 csrss.exe WScript.exe PID 2172 wrote to memory of 5076 2172 WScript.exe csrss.exe PID 2172 wrote to memory of 5076 2172 WScript.exe csrss.exe PID 5076 wrote to memory of 1908 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 1908 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 3272 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 3272 5076 csrss.exe WScript.exe PID 1908 wrote to memory of 1084 1908 WScript.exe csrss.exe PID 1908 wrote to memory of 1084 1908 WScript.exe csrss.exe PID 1084 wrote to memory of 1652 1084 csrss.exe WScript.exe PID 1084 wrote to memory of 1652 1084 csrss.exe WScript.exe PID 1084 wrote to memory of 1756 1084 csrss.exe WScript.exe PID 1084 wrote to memory of 1756 1084 csrss.exe WScript.exe PID 1652 wrote to memory of 4648 1652 WScript.exe csrss.exe PID 1652 wrote to memory of 4648 1652 WScript.exe csrss.exe PID 4648 wrote to memory of 408 4648 csrss.exe WScript.exe PID 4648 wrote to memory of 408 4648 csrss.exe WScript.exe PID 4648 wrote to memory of 2312 4648 csrss.exe WScript.exe PID 4648 wrote to memory of 2312 4648 csrss.exe WScript.exe PID 408 wrote to memory of 4432 408 WScript.exe csrss.exe PID 408 wrote to memory of 4432 408 WScript.exe csrss.exe PID 4432 wrote to memory of 1408 4432 csrss.exe WScript.exe PID 4432 wrote to memory of 1408 4432 csrss.exe WScript.exe PID 4432 wrote to memory of 5028 4432 csrss.exe WScript.exe PID 4432 wrote to memory of 5028 4432 csrss.exe WScript.exe PID 1408 wrote to memory of 5096 1408 WScript.exe csrss.exe PID 1408 wrote to memory of 5096 1408 WScript.exe csrss.exe PID 5096 wrote to memory of 3064 5096 csrss.exe WScript.exe PID 5096 wrote to memory of 3064 5096 csrss.exe WScript.exe PID 5096 wrote to memory of 712 5096 csrss.exe WScript.exe PID 5096 wrote to memory of 712 5096 csrss.exe WScript.exe PID 3064 wrote to memory of 1456 3064 WScript.exe csrss.exe PID 3064 wrote to memory of 1456 3064 WScript.exe csrss.exe PID 1456 wrote to memory of 4972 1456 csrss.exe WScript.exe PID 1456 wrote to memory of 4972 1456 csrss.exe WScript.exe PID 1456 wrote to memory of 4832 1456 csrss.exe WScript.exe PID 1456 wrote to memory of 4832 1456 csrss.exe WScript.exe PID 4972 wrote to memory of 5076 4972 WScript.exe csrss.exe PID 4972 wrote to memory of 5076 4972 WScript.exe csrss.exe PID 5076 wrote to memory of 3068 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 3068 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 3204 5076 csrss.exe WScript.exe PID 5076 wrote to memory of 3204 5076 csrss.exe WScript.exe PID 3068 wrote to memory of 1840 3068 WScript.exe csrss.exe PID 3068 wrote to memory of 1840 3068 WScript.exe csrss.exe PID 1840 wrote to memory of 4572 1840 csrss.exe WScript.exe PID 1840 wrote to memory of 4572 1840 csrss.exe WScript.exe PID 1840 wrote to memory of 5064 1840 csrss.exe WScript.exe PID 1840 wrote to memory of 5064 1840 csrss.exe WScript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
csrss.execsrss.execsrss.exe7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"C:\Users\Admin\AppData\Local\Temp\7ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4624
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a414dbf-5397-4f4f-ada3-ecb35aa923c2.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1412 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d16109-f7a0-483b-ade4-9363da0fa9eb.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529b3577-5c0e-4203-845b-d7ed70a8dcdb.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14533410-8406-4b29-a6b4-d838ab77bfb2.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5887cac0-59f8-489c-b4e8-4b6b9901f767.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0582d10-13c4-487f-82f4-0a8ecf98c2e6.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec20a89-3ef5-426c-a6be-f3c98ca40f24.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9962c6-39f1-45e4-aee9-c7e531c1eb0f.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d627c-466e-481b-beee-5602e2f50c7b.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ded2a714-455c-45a0-ab48-25c38291836a.vbs"22⤵PID:4572
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80764739-2eb7-4efe-a493-e651a4d57895.vbs"24⤵PID:3668
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3500 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a80b62-b432-476e-bbd4-d66a7a7ea57e.vbs"26⤵PID:2920
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b421495f-0eb6-4ffe-87a5-e948ea68b4c3.vbs"26⤵PID:4732
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8088d221-530a-4424-b184-73252730254a.vbs"24⤵PID:4640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4257a2a3-fedf-429e-8f4e-1db5cb67ca44.vbs"22⤵PID:5064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\836fc1bf-da27-4752-bbed-0c0ab2d2f02e.vbs"20⤵PID:3204
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24b5478f-0f66-46ae-b555-990933997449.vbs"18⤵PID:4832
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2042511e-12dc-49ec-a5ff-9bdddd0f69b2.vbs"16⤵PID:712
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c95c64a-4174-4d5a-af47-fbe8253ec2af.vbs"14⤵PID:5028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3568498-3830-4a29-9a4a-d1203feb1f5d.vbs"12⤵PID:2312
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd2ea87-fd2c-4f87-8b5c-e582763e9efb.vbs"10⤵PID:1756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\835fb278-9e33-4414-980e-e6b934b69418.vbs"8⤵PID:3272
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8be459a-9e03-4b0d-a677-6fb17dd96bc8.vbs"6⤵PID:3344
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\722535dd-9925-443a-b2bc-e0803ad07851.vbs"4⤵PID:2376
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\System\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\System\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
707B
MD53da8c8ea3548ee67987baf091ad2c927
SHA11b687951804055b5563ca0956ac25e1e9a75f65d
SHA2561e7f0123c3e269d73506d24e9ab2ed47096d2953fbb33839aced58b4bce0caec
SHA5122996a3b9ea60929f2a7410f635f038b895a172f8e13da6f3c7e9d4de6e3ce7f03632b9d2e8a6d82f160174648e8715e4d057226b2b978e94e6c7020b98ba4f56
-
Filesize
707B
MD53b21a7bcc81df4ddd61a068c1f70c128
SHA1bcdcc360847a0b8f15629e8ed570318fe4d35673
SHA25642c9a425c643686175e9b27e548397f7deb718d3911bbb450e670dfbc75cdbe2
SHA512274ba46a801d0e9b1a5e170104b9a4dcaa06ce78b27734ce6fb8363926aaab5ad302cb3d2b10cadad79ec7220880be74397ded723798718355bbe03fe5e3f26a
-
Filesize
707B
MD5d151ec444fabedc36bd92648c1fbf193
SHA16e9f79b969fe4984e84eaa9636c440feec0784e9
SHA256537610dbeaae7752cdf6e1255589fd1f75d4b31bfad848c106cfbfa8914e8914
SHA5121981fa1eefeffbbff18619fde00da102980517bf2e2f78b438a89ee8f69797c06f925c2dfb674ca95156694650663053124955598b610122afb85999a5af2875
-
Filesize
707B
MD5db62752106a4f73f564ee4b3a1204d50
SHA1a9485cc1fad524d7a52fa62d955c9969e4b1d167
SHA2565296f64f797686f7452769d014e725a19ed2c59bda8c1ae819253ba7e2274f22
SHA5125df0ae71e30cc990a662fbd8a6b5b94fdde6feadd4951e05e9dfa80b03de539f3b2335eb5295e30f3fe9c3a88b52089d374a8b58725138de904556808103fefd
-
Filesize
707B
MD502420e1d1f242e38bbbb378337a68e79
SHA1744827180e81574b464570c7f3eff6250a88d8b7
SHA256345f67ae25bd73c54d999130aed785f92afe8516a075343e737b8cf3341b9da4
SHA51211a1597cd3d1e42b1e6333da44526a1befd41f5eaf4abc71924a70a4a69b1fde366ba726c7716615751590de564dfe05c32a10cda6ef92087ba22a9152d769cc
-
Filesize
707B
MD5a6fd7960f9bf2ab88268bd51b9a6adde
SHA1276af1d427a107e13b37157296b0f69c60c992ac
SHA25604cce6a52e3b93b7fa33d88ad3f41f1ffd77f8d1377bd6ab48397bfdf4f39805
SHA5128a05278c15fcbda0268d293c66fc165502aedf4d8703ec135262e4e0ff6bb0cc5b45e81290ff2ec32a8cd4bf4cbeaf5bab1121689d10459a078c805ee36bbdb0
-
Filesize
483B
MD5dadd7644ea1ac1edebc7463665ff60b6
SHA1e1f41ec30047e1e6fdcf74867877fe91deb9a714
SHA2568200d743934c428bc853bed00c4b8980209211613721a94c258f0926d4a978ad
SHA51244b643cbc9d7467d0cbfc07e48a63818a88b17fe35133bde2199ece37363731bd5f90b2e840ca1ded25c3b3ed34ecb509af348f0f313895090e743753293c439
-
Filesize
707B
MD58e231ad69414d430476e0710a3175595
SHA182207712e2856310117b54d0e4761a130b96fca6
SHA2568f4044a710d5782df828d5fe286c55fc6d8c09c3df7e62d0b10d5998d8375a71
SHA512c66a8e3618628d6b32b916f33cc237d18341a4c8415ccc7b1662e6a87d96a2d389dcd9b57b85c4e4ac2aab9e3498a7886ee2995ee5b76f43d0c5d05c2ad5888a
-
Filesize
707B
MD5495ec54a435532cf6bbecd4fc1550f8a
SHA1cffc451b6d42bc71f18607d74b2492db80693850
SHA2566582861e76aace85887b50fef82b37c06a93ecc0aaf0e227bce56f6854e40929
SHA512960910ab83f2c6d18d2aea7163f79d37c52a7a59d6692bb76dd49d4754921e17b0331f5a2402ac9e5cae663f26e750956ed523f79b865b7337207be17ee7521a
-
Filesize
707B
MD5b476554b57652ac622431e2926b89bb4
SHA18703b6dd5379d2745a194c83b7bcb45763a1f27e
SHA2563f9f8bf3dcb1a281017bf589620c5ec2e796c39dfeff4d29a9a9bda44f867ab4
SHA5123218d7ff3292a33c5a125094f3a1f1521116bcc228c5aa6225a08d5d4a68c731d44bbbc607495ca499d8339fba55346f87d3dbcbdaf02b0dbb110a8ee63ee5a2
-
Filesize
707B
MD56907344d060fb0ff26749cd9bea2271b
SHA122647b51ea0ab0e9c3d9aff71084135bad3041b1
SHA2569392a254d2947e8f2a0e2c67aa7a28de0111919667367c0490956d8b7a9f7b31
SHA5125dbc6cc62586111a171ea18e71b37dddd67f22666821a966bba2bc967eabd9b1028ebab8c5efefa2fc1d5fd13d69bdd10ecacaf013df5e857a3f47ff8c95e297
-
Filesize
707B
MD5bc8e7a00776d47e0a2ffab4d898ce324
SHA1b0569291b1befe60117ae71058df51a7fb62d65a
SHA256c68b8d8b0ed19385d3df374670fa52a3b4b90a0e61b892169d7230c7895c47d7
SHA5120c88e19f2b5732bf41bca5ee38ed3a86b9446a6132780c81fe49f270fe27a0713aaa742b931b703149fa90eededc72e3a6a806f05338d49b37e5d068caabee07
-
Filesize
196B
MD5d6c1b6c3152adc0d22c46836251ef924
SHA16ae9ae33f51e25400e4651c1717429dd8db3e48e
SHA25620e0646e6d44230c403c536a4892deaa3d9eb96dcff4790f593e8128d9eb28c7
SHA5124233e6e87c8db22f20ba0467d648ec656cce133db21a04f176f05a2687d86eb6ff0e67157f28996e68f0cd77175466f96620038a3ba824a45fe1dd98593b6bc9
-
Filesize
1.2MB
MD5d651fb397c8332af137e3a5e7b1f38da
SHA147cfdafaeaf943bfd663296628fc1b6d619f09e6
SHA256d8ca8414c41646b8a3a4d4469fe67fd7efa5bda3b1a69f84c4e402026ca3ff89
SHA51285406d83d3778ad4effdee1b49bf9fe512caf82f547c3f2ef03c89ea7ad824b12bfd676934295d379dbdd310c31a220aee7e1ffc3da504b469175fc683dafa0a
-
Filesize
1.2MB
MD57b05cf7f9e8162f55d50f10f711df29a
SHA16c077351d11f6069067d69b6ece6d0989e972c99
SHA2567ce25c8e4134782b2c23d136157a2a6a37884352910db11fee3acf71e5db7c47
SHA512275b2d3680a92510c0a72c5e369c5c2ca57be94b71e4c668a8be9874b85bf084a6d065973cfce685580ed123adfba95373338c0b2009be86399afcd4c7c1a0d8