dcrat | bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Size

4.9MB
MD5

9155252a5d3bc3f6cbc29b5e0f2cc630
SHA1

b839fc7ef25168c33a13630039c7672a7aa4f398
SHA256

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cb
SHA512

f60c640b19acf17e029cddc895cebd407beeebc7871f1acecf4bdc427cb704b11e7b1c35bf59bb31c16053eb07bc5d373aade1578f1ea46cb5dd0c63da40cfea
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1736	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.exebf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/292-3-0x000000001B710000-0x000000001B83E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1608	powershell.exe
1644	powershell.exe
2936	powershell.exe
1128	powershell.exe
2512	powershell.exe
2036	powershell.exe
2852	powershell.exe
1904	powershell.exe
1148	powershell.exe
1152	powershell.exe
1756	powershell.exe
2112	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
1276	csrss.exe
1924	csrss.exe
1288	csrss.exe
2616	csrss.exe
2088	csrss.exe
592	csrss.exe
1536	csrss.exe
3036	csrss.exe
2676	csrss.exe
2060	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.exebf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe

description	ioc	Process
File created	C:\Program Files\Java\Idle.exe	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File created	C:\Program Files\Java\6ccacd8608530f	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File opened for modification	C:\Program Files\Java\RCXB1E6.tmp	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File opened for modification	C:\Program Files\Java\Idle.exe	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe

Drops file in Windows directory 4 IoCs

Processes:

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe

description	ioc	Process
File created	C:\Windows\IME\es-ES\dllhost.exe	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File opened for modification	C:\Windows\IME\es-ES\dllhost.exe	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File created	C:\Windows\IME\es-ES\5940a34987c991	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
File opened for modification	C:\Windows\IME\es-ES\RCXAB6D.tmp	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1280	schtasks.exe
1032	schtasks.exe
2760	schtasks.exe
2668	schtasks.exe
2664	schtasks.exe
1316	schtasks.exe
2732	schtasks.exe
1412	schtasks.exe
3028	schtasks.exe
2892	schtasks.exe
2648	schtasks.exe
2784	schtasks.exe
2824	schtasks.exe
2620	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
1904	powershell.exe
2852	powershell.exe
2036	powershell.exe
1644	powershell.exe
2112	powershell.exe
2512	powershell.exe
1756	powershell.exe
2936	powershell.exe
1152	powershell.exe
1608	powershell.exe
1148	powershell.exe
1128	powershell.exe
1276	csrss.exe
1924	csrss.exe
1288	csrss.exe
2616	csrss.exe
2088	csrss.exe
592	csrss.exe
1536	csrss.exe
3036	csrss.exe
2676	csrss.exe
2060	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1276	csrss.exe
Token: SeDebugPrivilege	1924	csrss.exe
Token: SeDebugPrivilege	1288	csrss.exe
Token: SeDebugPrivilege	2616	csrss.exe
Token: SeDebugPrivilege	2088	csrss.exe
Token: SeDebugPrivilege	592	csrss.exe
Token: SeDebugPrivilege	1536	csrss.exe
Token: SeDebugPrivilege	3036	csrss.exe
Token: SeDebugPrivilege	2676	csrss.exe
Token: SeDebugPrivilege	2060	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	Process	procid_target
PID 292 wrote to memory of 1128	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	46
PID 292 wrote to memory of 1128	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	46
PID 292 wrote to memory of 1128	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	46
PID 292 wrote to memory of 1608	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	47
PID 292 wrote to memory of 1608	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	47
PID 292 wrote to memory of 1608	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	47
PID 292 wrote to memory of 1644	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	48
PID 292 wrote to memory of 1644	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	48
PID 292 wrote to memory of 1644	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	48
PID 292 wrote to memory of 2936	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	49
PID 292 wrote to memory of 2936	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	49
PID 292 wrote to memory of 2936	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	49
PID 292 wrote to memory of 2512	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	50
PID 292 wrote to memory of 2512	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	50
PID 292 wrote to memory of 2512	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	50
PID 292 wrote to memory of 2036	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	51
PID 292 wrote to memory of 2036	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	51
PID 292 wrote to memory of 2036	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	51
PID 292 wrote to memory of 2852	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	52
PID 292 wrote to memory of 2852	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	52
PID 292 wrote to memory of 2852	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	52
PID 292 wrote to memory of 1904	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	53
PID 292 wrote to memory of 1904	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	53
PID 292 wrote to memory of 1904	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	53
PID 292 wrote to memory of 1148	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	54
PID 292 wrote to memory of 1148	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	54
PID 292 wrote to memory of 1148	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	54
PID 292 wrote to memory of 1152	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	55
PID 292 wrote to memory of 1152	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	55
PID 292 wrote to memory of 1152	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	55
PID 292 wrote to memory of 1756	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	57
PID 292 wrote to memory of 1756	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	57
PID 292 wrote to memory of 1756	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	57
PID 292 wrote to memory of 2112	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	58
PID 292 wrote to memory of 2112	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	58
PID 292 wrote to memory of 2112	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	58
PID 292 wrote to memory of 1276	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	70
PID 292 wrote to memory of 1276	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	70
PID 292 wrote to memory of 1276	292	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe	70
PID 1276 wrote to memory of 2432	1276	csrss.exe	71
PID 1276 wrote to memory of 2432	1276	csrss.exe	71
PID 1276 wrote to memory of 2432	1276	csrss.exe	71
PID 1276 wrote to memory of 1032	1276	csrss.exe	72
PID 1276 wrote to memory of 1032	1276	csrss.exe	72
PID 1276 wrote to memory of 1032	1276	csrss.exe	72
PID 2432 wrote to memory of 1924	2432	WScript.exe	74
PID 2432 wrote to memory of 1924	2432	WScript.exe	74
PID 2432 wrote to memory of 1924	2432	WScript.exe	74
PID 1924 wrote to memory of 1932	1924	csrss.exe	75
PID 1924 wrote to memory of 1932	1924	csrss.exe	75
PID 1924 wrote to memory of 1932	1924	csrss.exe	75
PID 1924 wrote to memory of 2548	1924	csrss.exe	76
PID 1924 wrote to memory of 2548	1924	csrss.exe	76
PID 1924 wrote to memory of 2548	1924	csrss.exe	76
PID 1932 wrote to memory of 1288	1932	WScript.exe	77
PID 1932 wrote to memory of 1288	1932	WScript.exe	77
PID 1932 wrote to memory of 1288	1932	WScript.exe	77
PID 1288 wrote to memory of 2036	1288	csrss.exe	78
PID 1288 wrote to memory of 2036	1288	csrss.exe	78
PID 1288 wrote to memory of 2036	1288	csrss.exe	78
PID 1288 wrote to memory of 2640	1288	csrss.exe	79
PID 1288 wrote to memory of 2640	1288	csrss.exe	79
PID 1288 wrote to memory of 2640	1288	csrss.exe	79
PID 2036 wrote to memory of 2616	2036	WScript.exe	80

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exebf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe
"C:\Users\Admin\AppData\Local\Temp\bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cbN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Users\All Users\csrss.exe
  "C:\Users\All Users\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367e07bc-a5a3-442b-9f0e-05f6e8d461f4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\All Users\csrss.exe
      "C:\Users\All Users\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0a4282a-5021-462b-8170-08b9107ebc8d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e26f0d78-ef0e-4934-bd69-424f0d079203.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a741a5a-7bd6-4731-8b5e-d941b7b7ad23.vbs"
        9⤵
        
        PID:2532
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76500624-fec3-4dcc-a7d1-5ca1e0234799.vbs"
        11⤵
        
        PID:476
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f78484a6-b815-4e10-87b2-c9bd1a30577e.vbs"
        13⤵
        
        PID:704
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df944ae7-dbd5-4297-9fda-ac819c34ce38.vbs"
        15⤵
        
        PID:1996
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04543859-1549-4efe-bc85-74800e557bb9.vbs"
        17⤵
        
        PID:1520
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb80df3-eb2f-4101-953b-07dd39ecf3ca.vbs"
        19⤵
        
        PID:2084
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c9cf286-f625-4088-8d42-0e341203d7b6.vbs"
        21⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d571697-c8b7-43ff-b6bf-74bc8605a669.vbs"
        21⤵
        
        PID:476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be82310c-d4f7-4c21-ac30-10fcce9d9abe.vbs"
        19⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55983007-6e05-4967-bdde-a06ce07cf13b.vbs"
        17⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b0e994e-1579-4071-b02e-26f1111fda75.vbs"
        15⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f36aa5-da2b-401b-98d0-98728844c30a.vbs"
        13⤵
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b9921ca-b338-457a-b4c2-ed5c8737949f.vbs"
        11⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a53dac-f383-4036-8371-c1f84f1b651d.vbs"
        9⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50c226e-9f54-459e-9ba8-cd88246d808a.vbs"
        7⤵
        
        PID:2640
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f35b792-0b35-404b-ac49-8f3523f9d145.vbs"
        5⤵
        
        PID:2548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc735ebd-9857-4a51-934b-2bb5341be4fb.vbs"
    3⤵
    PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
4.9MB

MD5
11f4d99dd257c058f9b9537e271780fe

SHA1
46f27a4dddb6cd3a938538e92ac8cae89d4f903a

SHA256
31c4397d26455d056989b5ad83d83904d17b029913829052529e6998a281e0d8

SHA512
8e28a1e886f3af4e8af556ae5d53fe506af17db58ff285209b633c624580964f197efe613efaa67e0e3fa1e630d0dba76dc3e0e7d8e0d4b8d9168e3043b2461a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe

Filesize
4.9MB

MD5
9155252a5d3bc3f6cbc29b5e0f2cc630

SHA1
b839fc7ef25168c33a13630039c7672a7aa4f398

SHA256
bf0c56dbb4e5bdd5de51de8425dbcec4e79c3312b6b84347e0223b05b4b3a1cb

SHA512
f60c640b19acf17e029cddc895cebd407beeebc7871f1acecf4bdc427cb704b11e7b1c35bf59bb31c16053eb07bc5d373aade1578f1ea46cb5dd0c63da40cfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\04543859-1549-4efe-bc85-74800e557bb9.vbs

Filesize
704B

MD5
6995ae1f4f3ddadaa2597207feb7c307

SHA1
99c1bd30a161a6865a96bfe3f939dd59ff604e6f

SHA256
444d6e0d69dff628523006587c33a5b7d8c2fcf42300c764f89f389d45b38f34

SHA512
1c45f65d527ea7095c930d9db81064c8f51f3e9b94d0ff0f234e40ba54cbc96dae11e305a460e35d12f19d01677156ca34d2e47ef50699b3276dc0aa95f27f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c9cf286-f625-4088-8d42-0e341203d7b6.vbs

Filesize
704B

MD5
af682a50a9ec61e795f474be98585f36

SHA1
61ff82dffc635c71e262850a5fe6dc02e49298e6

SHA256
4bed6b76fe2f30e4ee3d90765d1e576d4e6825ad597e1ac5cf274ec3e006132b

SHA512
58dc74f2705923a477bcc4741bc762cc8854d8655ff1e21c0b40e9ba45dca5a92886ec6c8e23f87a3801460c730af285246dfc4a1c73b01ee12a0648fbdbae4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\367e07bc-a5a3-442b-9f0e-05f6e8d461f4.vbs

Filesize
704B

MD5
2b8470d2ac79c6f66d6d5ee99145e643

SHA1
799448af77875bfbbc5e3c760c918d1ace1ef5a3

SHA256
f0c77114d5df6cc065f06037128b73ac96f757e978313f32ae9334a7476fdd97

SHA512
0b4a3ea71605874ecd356ea7eeb33ff60753f7a0f6ea137912b6feac823ea27cfce3baad7017188272bebaf47a3cb5a6fd53778c5a0da827d0b9ec07d3e3e59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb80df3-eb2f-4101-953b-07dd39ecf3ca.vbs

Filesize
704B

MD5
0fca76de22189ed69f215f23b09ffe02

SHA1
614ffc19d723cdd14afa2584dadc0936ffe021a7

SHA256
7985b2dd301649760b29aa817f84c4f3813299c0eddd5bb2805098133f6cca9e

SHA512
5da2cf5ffa84a2e92ec6f5d841634fb6e1556ca4d6c58507df7544095b3a800ce642253ae638b5b7f8b86cf1ca075bd3e5ea3e8ea0fc4bd10cb7dd5abada0289

Download Submit
C:\Users\Admin\AppData\Local\Temp\76500624-fec3-4dcc-a7d1-5ca1e0234799.vbs

Filesize
704B

MD5
80fe2f26d818ee863e881ade856f75a8

SHA1
e8c7a802554ec6c5bc724d9f0900c87db8096285

SHA256
624857878c64b09502f8a6f03d13c1e8f607f86fc6f13d1ac2b78a98e957e0f0

SHA512
aadf4fd0819236cc448f694dee3dd4a15a3d1959c8af5d68fb8c0ac60260812568ff8a3e377d46f4bea1f5f3fb2a9c063a9291ca1e76b944188f65625349d381

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a741a5a-7bd6-4731-8b5e-d941b7b7ad23.vbs

Filesize
704B

MD5
8d2b312c427769697e5643a822734972

SHA1
af98774e68ab3a7149337741e3c3edb5c7b6b247

SHA256
2c777f8f32799d170223e30f750d7f645042c6bc5bb74f0b2a0cc63883b7b954

SHA512
3dee5b3f0fa9693db1de9f3f73dd37437a116c18c05f3ac9df315439ae9794f3ae53724496932d04f21da76a65da8de454b885e4c0bb1fb2f8093841ea9d11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc735ebd-9857-4a51-934b-2bb5341be4fb.vbs

Filesize
480B

MD5
1ffb10c80221943c7fef056f0c4cabdf

SHA1
0daac9d24b74a4e9cc077a3dab7e5b3042c5658d

SHA256
832750d65119b2c5a5784793ee4ca219184212964375b5d6942eadd8efa827eb

SHA512
e302dc46f620ad4eb061a7bb9df5e3b25fabeb3ca4d417055e2aad05e8f6503489d2deee038caf557414738b4d6ae52c59e951a2d356eacfa325abab53d34c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0a4282a-5021-462b-8170-08b9107ebc8d.vbs

Filesize
704B

MD5
2b28a9a3f0654f0fe371db00a57e6e6a

SHA1
7071597d6080dd0931898591e8e835d3683d5a79

SHA256
ea99e24a5f619924272d8ee85d1616083177e29698940a355656818611658bed

SHA512
a6e2f85a6f469d52bf8f35a4003104407d48883462396125367fbeb77576a4346b5c3747792d10fc16bd0c6ba6ac4ede85f95fea01f14952054bcba314737307

Download Submit
C:\Users\Admin\AppData\Local\Temp\df944ae7-dbd5-4297-9fda-ac819c34ce38.vbs

Filesize
704B

MD5
8b6caeb6866f4a422dccbf60c4679e9d

SHA1
9d0b857e96da60e09b1c4e98d1054c23b3fcab74

SHA256
97f6db9b7e0227bd91cfb4f3a2bb033a3d84c35903bf38f5b5e0cf368479eae3

SHA512
3aa0031b555ed9569698d2a51c0b79a165d24a9971f61c1da5290b7c9b23e4b26ab7e566bf94fcb022a048037019ab0316b5987b9f38db0e1042af3994803939

Download Submit
C:\Users\Admin\AppData\Local\Temp\e26f0d78-ef0e-4934-bd69-424f0d079203.vbs

Filesize
704B

MD5
5546e1d46939a44d9c1562dec723bdeb

SHA1
fc9413d3bb23c7e8aa55bcbd1b6e67086107bfdf

SHA256
3b6ef40452077c9608acb3382bbe5164c3c35d1786517b27eabc05914a507846

SHA512
e29168b637449113e57f0b882beee51a65bf1455563b6cb29e972e10b863f13721fb9c253a3e83fb53704b40ffd63e59589914d6b247129b563eed0193f71056

Download Submit
C:\Users\Admin\AppData\Local\Temp\f78484a6-b815-4e10-87b2-c9bd1a30577e.vbs

Filesize
703B

MD5
751388d55d096ebd356a5dedacc5328d

SHA1
05780cd5a7c0430924ed188b361fe93f37c5fa5c

SHA256
7034884a355818a9d3ac5eb4350aca69e1c3e1ed5308870f7f07e6423a0f4483

SHA512
684f2ebacdabd50a751d607f1bafde74320bdcd9917d5459c3a724c0e7c007d292150cec8ee4601f0320662a4589df14c8fa201465041dbff3facfadf2162de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e1fa24133fab6297a279a7587f740bf1

SHA1
d75ac9bd6f0cdd15065a6e34b8d1be0f77dff917

SHA256
f37f5351273b00185a6972cee875a68fe09e9dfaffe779362dcd69da9bbbc05d

SHA512
2e4154a12ae2da8e379c282f9dfe6a2d3ca94d44f9bcdcf45b9e78628a4b6741027cc2d6593e2866ce1119d0dcdda73a09ab828b0c265d085cc1ef3e792a7db5

Download Submit
memory/292-14-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/292-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/292-15-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/292-13-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/292-12-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/292-11-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/292-10-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/292-125-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/292-9-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/292-16-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/292-8-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/292-7-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/292-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/292-5-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/292-4-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/292-3-0x000000001B710000-0x000000001B83E000-memory.dmp

Filesize
1.2MB

Download
memory/292-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/292-1-0x0000000000B60000-0x0000000001054000-memory.dmp

Filesize
5.0MB

Download
memory/1276-132-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/1276-124-0x0000000000A00000-0x0000000000EF4000-memory.dmp

Filesize
5.0MB

Download
memory/1288-162-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download
memory/1536-222-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/1536-223-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/1644-71-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1904-126-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1924-147-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1924-146-0x0000000000F90000-0x0000000001484000-memory.dmp

Filesize
5.0MB

Download
memory/2060-269-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2088-193-0x0000000000E50000-0x0000000001344000-memory.dmp

Filesize
5.0MB

Download
memory/2616-178-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/2616-177-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/2676-254-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2676-253-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/3036-238-0x0000000001110000-0x0000000001604000-memory.dmp

Filesize
5.0MB

Download