dcrat | baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353

Analysis

max time kernel
120s
max time network
116s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Size

4.9MB
MD5

916dfec6e74a12ca331424d9a83f6270
SHA1

e0990916cd17d53000a9d4feec420c7965bcc23f
SHA256

baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353
SHA512

230dd85c3a6e7ff009a4ce16d692f32269c38a04681faf09badcad5cb9c7f7ee768960fd69f40e4203df31c0a6d06e1340499e0abb8bba45609de34b33f2a5d4
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2880	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3012-2-0x000000001B690000-0x000000001B7BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1156	powershell.exe
2772	powershell.exe
1960	powershell.exe
1656	powershell.exe
1208	powershell.exe
1436	powershell.exe
2936	powershell.exe
2904	powershell.exe
2780	powershell.exe
1848	powershell.exe
2940	powershell.exe
1752	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
688	csrss.exe
536	csrss.exe
1576	csrss.exe
796	csrss.exe
1792	csrss.exe
1500	csrss.exe
2072	csrss.exe
868	csrss.exe
2848	csrss.exe
2076	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\6ccacd8608530f	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Java\RCXB89A.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Java\Idle.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Java\Idle.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IME\es-ES\winlogon.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\IME\es-ES\cc11b995f2a76d	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Windows\IME\es-ES\RCXB118.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\IME\es-ES\winlogon.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2120	schtasks.exe
1588	schtasks.exe
2584	schtasks.exe
3052	schtasks.exe
2488	schtasks.exe
2720	schtasks.exe
2860	schtasks.exe
2808	schtasks.exe
668	schtasks.exe
2364	schtasks.exe
2704	schtasks.exe
2640	schtasks.exe
2196	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
1436	powershell.exe
1208	powershell.exe
2780	powershell.exe
1656	powershell.exe
2936	powershell.exe
2904	powershell.exe
1156	powershell.exe
1848	powershell.exe
2772	powershell.exe
1752	powershell.exe
2940	powershell.exe
1960	powershell.exe
688	csrss.exe
536	csrss.exe
1576	csrss.exe
796	csrss.exe
1792	csrss.exe
1500	csrss.exe
2072	csrss.exe
868	csrss.exe
2848	csrss.exe
2076	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	688	csrss.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	536	csrss.exe
Token: SeDebugPrivilege	1576	csrss.exe
Token: SeDebugPrivilege	796	csrss.exe
Token: SeDebugPrivilege	1792	csrss.exe
Token: SeDebugPrivilege	1500	csrss.exe
Token: SeDebugPrivilege	2072	csrss.exe
Token: SeDebugPrivilege	868	csrss.exe
Token: SeDebugPrivilege	2848	csrss.exe
Token: SeDebugPrivilege	2076	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1960	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	46
PID 3012 wrote to memory of 1960	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	46
PID 3012 wrote to memory of 1960	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	46
PID 3012 wrote to memory of 2780	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	47
PID 3012 wrote to memory of 2780	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	47
PID 3012 wrote to memory of 2780	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	47
PID 3012 wrote to memory of 1656	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	48
PID 3012 wrote to memory of 1656	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	48
PID 3012 wrote to memory of 1656	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	48
PID 3012 wrote to memory of 1848	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	49
PID 3012 wrote to memory of 1848	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	49
PID 3012 wrote to memory of 1848	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	49
PID 3012 wrote to memory of 2940	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	50
PID 3012 wrote to memory of 2940	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	50
PID 3012 wrote to memory of 2940	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	50
PID 3012 wrote to memory of 1208	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	51
PID 3012 wrote to memory of 1208	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	51
PID 3012 wrote to memory of 1208	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	51
PID 3012 wrote to memory of 1436	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	52
PID 3012 wrote to memory of 1436	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	52
PID 3012 wrote to memory of 1436	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	52
PID 3012 wrote to memory of 1156	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	53
PID 3012 wrote to memory of 1156	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	53
PID 3012 wrote to memory of 1156	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	53
PID 3012 wrote to memory of 1752	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	54
PID 3012 wrote to memory of 1752	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	54
PID 3012 wrote to memory of 1752	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	54
PID 3012 wrote to memory of 2936	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	55
PID 3012 wrote to memory of 2936	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	55
PID 3012 wrote to memory of 2936	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	55
PID 3012 wrote to memory of 2772	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	56
PID 3012 wrote to memory of 2772	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	56
PID 3012 wrote to memory of 2772	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	56
PID 3012 wrote to memory of 2904	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	57
PID 3012 wrote to memory of 2904	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	57
PID 3012 wrote to memory of 2904	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	57
PID 3012 wrote to memory of 688	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	70
PID 3012 wrote to memory of 688	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	70
PID 3012 wrote to memory of 688	3012	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	70
PID 688 wrote to memory of 2820	688	csrss.exe	71
PID 688 wrote to memory of 2820	688	csrss.exe	71
PID 688 wrote to memory of 2820	688	csrss.exe	71
PID 688 wrote to memory of 2740	688	csrss.exe	72
PID 688 wrote to memory of 2740	688	csrss.exe	72
PID 688 wrote to memory of 2740	688	csrss.exe	72
PID 2820 wrote to memory of 536	2820	WScript.exe	74
PID 2820 wrote to memory of 536	2820	WScript.exe	74
PID 2820 wrote to memory of 536	2820	WScript.exe	74
PID 536 wrote to memory of 2444	536	csrss.exe	75
PID 536 wrote to memory of 2444	536	csrss.exe	75
PID 536 wrote to memory of 2444	536	csrss.exe	75
PID 536 wrote to memory of 1904	536	csrss.exe	76
PID 536 wrote to memory of 1904	536	csrss.exe	76
PID 536 wrote to memory of 1904	536	csrss.exe	76
PID 2444 wrote to memory of 1576	2444	WScript.exe	77
PID 2444 wrote to memory of 1576	2444	WScript.exe	77
PID 2444 wrote to memory of 1576	2444	WScript.exe	77
PID 1576 wrote to memory of 348	1576	csrss.exe	78
PID 1576 wrote to memory of 348	1576	csrss.exe	78
PID 1576 wrote to memory of 348	1576	csrss.exe	78
PID 1576 wrote to memory of 2984	1576	csrss.exe	79
PID 1576 wrote to memory of 2984	1576	csrss.exe	79
PID 1576 wrote to memory of 2984	1576	csrss.exe	79
PID 348 wrote to memory of 796	348	WScript.exe	80

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
"C:\Users\Admin\AppData\Local\Temp\baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Users\All Users\csrss.exe
  "C:\Users\All Users\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\895d50c8-e1e4-419f-bcbf-80c86c77bc78.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\All Users\csrss.exe
      "C:\Users\All Users\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9755f5a2-dd94-4ca8-90cd-c57aff20b04e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\858f39b4-5d2b-4802-8637-891d3a3f7d1e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abdafa24-baaa-4971-80b1-35ea8ee979c6.vbs"
        9⤵
        
        PID:2140
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c26f8d7-69a9-4266-905c-426d6a3ac63e.vbs"
        11⤵
        
        PID:2704
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f510e22a-abae-4321-8647-15d915921249.vbs"
        13⤵
        
        PID:1252
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49ff6f80-cd71-45bd-b501-c519f27cff87.vbs"
        15⤵
        
        PID:1724
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390afdb6-0ec6-4fe7-9b5d-f2f30a939698.vbs"
        17⤵
        
        PID:2724
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd8ebd7-1cf5-4317-9948-cdffde6c8602.vbs"
        19⤵
        
        PID:1628
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5a34b2-eecf-457a-ba52-52515e0de69c.vbs"
        19⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fdb9bb-9646-432c-ab96-9217f8b655b5.vbs"
        17⤵
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8da181a-85de-4ba5-b934-60c8afebdd82.vbs"
        15⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ea76fc8-2caa-4952-a608-c602cb320051.vbs"
        13⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32d247fc-63f9-42d5-bd57-d2bbd5dcdf6c.vbs"
        11⤵
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55234bd4-fe46-47f6-be08-f7a65c98a3e8.vbs"
        9⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a57b21a-1c2e-46bf-adb3-02ad394f74ca.vbs"
        7⤵
        
        PID:2984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82475518-69a2-466e-b306-6dfc2e6d2c79.vbs"
        5⤵
        
        PID:1904
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc06834e-82d3-4e90-a9d0-ac1568216f9d.vbs"
    3⤵
    PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Libraries\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
4.9MB

MD5
a40c6d5c0ce76e84475d46b65b1967c7

SHA1
2782bc0f1865eca56ff5015f8ec863fc58f2cad1

SHA256
28745420fa85455d63e06050fdda84cfb610e9667d305fd1a9e8c8f43c32e10b

SHA512
fc0e33bfa01dd0ba9235be36e8c13700531f0e60942d2c1e93424920d92c21982827ea5449629c2ab026e9713692f73be99b76fddb0378559137a8a7d58667be

Download Submit
C:\Recovery\6f0e9922-3d6d-11ef-b835-f2a3cf4ad94f\winlogon.exe

Filesize
4.9MB

MD5
916dfec6e74a12ca331424d9a83f6270

SHA1
e0990916cd17d53000a9d4feec420c7965bcc23f

SHA256
baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353

SHA512
230dd85c3a6e7ff009a4ce16d692f32269c38a04681faf09badcad5cb9c7f7ee768960fd69f40e4203df31c0a6d06e1340499e0abb8bba45609de34b33f2a5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\390afdb6-0ec6-4fe7-9b5d-f2f30a939698.vbs

Filesize
703B

MD5
f18dc094c6de47dbca215a4b4cfe176a

SHA1
a3743ad9a47b6e88a95858fd241390cf635d6881

SHA256
e36cbbdb9b4b50ec273a3ee81d3cd48c7b0973c1958b1c5bf641b44b0a9d9a60

SHA512
553208aa336dd663f4d5d79af3a3cc379166d35bfa5a124d5361e83f2f246d9a37a48f55e81cd0e1630da582c365af65cec31e26e10246296f8b269af37f7b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49ff6f80-cd71-45bd-b501-c519f27cff87.vbs

Filesize
704B

MD5
4e6b60a4baf88013f7373579b0eff30e

SHA1
9ce391152d4c0e8f9f960b577aae6c50bcc5d40a

SHA256
63216552f2c4423f9d4016e6116363261a8fa93ec30db2eef66ccb2e20da83a3

SHA512
9d37b3221ea4d5b21582e62d2674f121c2e361a2a94143ed138c62086183e3d6a9c2115b1750ac5e021a7ba2a1a2b3ca4c11ee6af6e77110d5f6c84af42aad7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\858f39b4-5d2b-4802-8637-891d3a3f7d1e.vbs

Filesize
704B

MD5
3be766ee1a9c38374c1f1b829d78f868

SHA1
11eb0a292900e22546753c77ef657d946c167411

SHA256
7005724da0cd4901a6d0a1de5009bd6b9be1180f922fab64f9effe2d6f79a142

SHA512
344e1cae474321885886a4fea19381105923830ed4a2ba062567af88cb19279e6ccf8f48ffeb6076c08fd855b321d96cec0000349f746e2be80cb62bf9f949b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\895d50c8-e1e4-419f-bcbf-80c86c77bc78.vbs

Filesize
703B

MD5
66d0a735714705a0df1ccb896ec08f0b

SHA1
6c64df3780467bc92dda33df1eedee90959adac0

SHA256
a39f41fb450afa3b96f7328cf96afddb588cd8e22d4af8f4eef26034164dcd3f

SHA512
61199b6a6aa73f72ce8ff9ea601488602c79788fcbe3c74411e028cb336a79c0b219da3e375016490abd75d4b152267728408ecee06ba906d4c58fe0576aa52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9755f5a2-dd94-4ca8-90cd-c57aff20b04e.vbs

Filesize
703B

MD5
bb44e342e28144e430b17a8c9525599a

SHA1
68e2b983345eeff0806aa859ed5b4f5566368145

SHA256
efe73f925901f2f9f6083f86d2a1832ff11c99f5badd2f37bce6839365dc72ed

SHA512
ca40d48205b8f9479c6ac4d854ddc25649e2d1d62d2af786e41c4ad299d45c5b624793112c322e6161dffe5e4aea3184c9fa5cf4a64ab039205aca66f716bb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c26f8d7-69a9-4266-905c-426d6a3ac63e.vbs

Filesize
704B

MD5
3a10b4294f86f4311d3dd9de398e51e1

SHA1
47be7dd42dd4a2cb47304acfd772a5143f33c055

SHA256
d4a6079abf5433af7568b2f7acb19a09410ea9c699da510e60d3a5a438d468b9

SHA512
6f332b05798e4ad024a5d2773ff641075d066b31cb9fe2c5c824265395d89a8490c9d2eed37a585d4ef461b41398252a3749b3e58f1382852f1db2bb57814d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\abdafa24-baaa-4971-80b1-35ea8ee979c6.vbs

Filesize
703B

MD5
353e6aa4f7321c0894b4892b5f1dcf33

SHA1
53063b19e6691a360956caedc2bbdcaaedfa1c69

SHA256
2593294203c849615de6957b3117cc6c16a6d889d03f88afda382df0e4e3f4ec

SHA512
e2865840b0640e33dd537128852a9ef2644afe154d80289f71ae0e7ec121a6547eb6cb96e56befd89e5feb8db1031e8f1cc279bea284e542dfb241a6d9f79201

Download Submit
C:\Users\Admin\AppData\Local\Temp\f510e22a-abae-4321-8647-15d915921249.vbs

Filesize
704B

MD5
f8aecafba633d385c6bc48600afc5a84

SHA1
5cdd7847ccc51162e3a2d0075ff063aa7e7409d4

SHA256
19c6e887b2ca573b7dea61c0e3ad3b3e070e97fa4f5b2d759c4c383258f4dea4

SHA512
44d6d7f13a2178c03291eb318d841e3421ce4374705e7cbc52e5da4edf63ae7b03fe5b48acc8a49bab7c588ca4aa504b34dd064d54e5eeea26a6b8a81ed8272e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc06834e-82d3-4e90-a9d0-ac1568216f9d.vbs

Filesize
480B

MD5
ef00c9f37bc1b99af37dc7c5b0d1ceb4

SHA1
2b167e7b4edc187afa157f7c515e5b172304a237

SHA256
5473b3b31c8fd353b80263e6b21e635a46da70a2f2793547a7a2c138e0823eb1

SHA512
f45d82eec6524c80054e3bef37a8210580c34cf92c442cbe43382483ec6ef3244c3857e3c8772488a74d01ce2db9b904b1e6c7eae47441ef99edab5e1abc91bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBB8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e818d592f753d70294cb709c64c1f926

SHA1
633670cdc10da2b40ea8b65c76c5267de8488cb1

SHA256
606138bab35ffda4ac2b5da2c868fb436eff21efe9dabc91a33f324ddc007695

SHA512
b89823ceb88bb674e2f5fde85fbf521919c130f3bf64e986626e4fab6df764fd5e312534499c7262971cfe4976d896ca191017dbdb932569bfc6392813dc5e32

Download Submit
memory/536-134-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/536-133-0x0000000000BE0000-0x00000000010D4000-memory.dmp

Filesize
5.0MB

Download
memory/688-96-0x0000000000860000-0x0000000000D54000-memory.dmp

Filesize
5.0MB

Download
memory/796-165-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/796-164-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/868-225-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/1436-76-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1436-86-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1500-195-0x00000000011F0000-0x00000000016E4000-memory.dmp

Filesize
5.0MB

Download
memory/1576-149-0x0000000000F20000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download
memory/1792-180-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2072-210-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/2076-255-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/2076-254-0x0000000000840000-0x0000000000D34000-memory.dmp

Filesize
5.0MB

Download
memory/2848-240-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/3012-6-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/3012-11-0x0000000002630000-0x000000000263A000-memory.dmp

Filesize
40KB

Download
memory/3012-8-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3012-16-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/3012-9-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/3012-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/3012-5-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/3012-10-0x0000000002620000-0x0000000002632000-memory.dmp

Filesize
72KB

Download
memory/3012-4-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/3012-7-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/3012-3-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-12-0x000000001AB50000-0x000000001AB5E000-memory.dmp

Filesize
56KB

Download
memory/3012-2-0x000000001B690000-0x000000001B7BE000-memory.dmp

Filesize
1.2MB

Download
memory/3012-99-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-1-0x0000000000900000-0x0000000000DF4000-memory.dmp

Filesize
5.0MB

Download
memory/3012-13-0x000000001AB60000-0x000000001AB6E000-memory.dmp

Filesize
56KB

Download
memory/3012-14-0x000000001AB70000-0x000000001AB78000-memory.dmp

Filesize
32KB

Download
memory/3012-15-0x000000001AB80000-0x000000001AB88000-memory.dmp

Filesize
32KB

Download