dcrat | 1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Size

1.5MB
MD5

d783e97b37584c63b3b45c382b22a000
SHA1

6c3c4b8a5081304166c0a3c53930164efc09afac
SHA256

1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff
SHA512

683396235092e51403f8699e59f7561924575116ec239fe148f321f98c8ddc31faf87c58e620fd202b1a4b49b46a0d3bcbd875ebbecabea2dcc878f34bae717d
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\", \"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\", \"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\", \"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\PerfLogs\\Admin\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\", \"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\PerfLogs\\Admin\\Idle.exe\", \"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2540	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2540	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2540	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2540	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2540	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
2436	powershell.exe
644	powershell.exe
1652	powershell.exe
1728	powershell.exe
2440	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Executes dropped EXE 11 IoCs

pid	Process
2036	csrss.exe
888	csrss.exe
2984	csrss.exe
1452	csrss.exe
2456	csrss.exe
1924	csrss.exe
844	csrss.exe
1016	csrss.exe
2124	csrss.exe
1164	csrss.exe
1544	csrss.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\api-ms-win-core-namedpipe-l1-1-0\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\Custom\\Custom64\\csrss.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\PerfLogs\\Admin\\Idle.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\RCXC034.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\886983d96e3d3e	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\Custom\Custom64\csrss.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File created	C:\Windows\AppPatch\Custom\Custom64\886983d96e3d3e	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\RCXC238.tmp	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\csrss.exe	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
3036	schtasks.exe
2716	schtasks.exe
2908	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
1652	powershell.exe
1728	powershell.exe
644	powershell.exe
2440	powershell.exe
2880	powershell.exe
2436	powershell.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
2036	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe
888	csrss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2036	csrss.exe
Token: SeDebugPrivilege	888	csrss.exe
Token: SeDebugPrivilege	2984	csrss.exe
Token: SeDebugPrivilege	1452	csrss.exe
Token: SeDebugPrivilege	2456	csrss.exe
Token: SeDebugPrivilege	1924	csrss.exe
Token: SeDebugPrivilege	844	csrss.exe
Token: SeDebugPrivilege	1016	csrss.exe
Token: SeDebugPrivilege	2124	csrss.exe
Token: SeDebugPrivilege	1164	csrss.exe
Token: SeDebugPrivilege	1544	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2880	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	37
PID 2172 wrote to memory of 2880	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	37
PID 2172 wrote to memory of 2880	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	37
PID 2172 wrote to memory of 2436	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	38
PID 2172 wrote to memory of 2436	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	38
PID 2172 wrote to memory of 2436	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	38
PID 2172 wrote to memory of 2440	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	39
PID 2172 wrote to memory of 2440	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	39
PID 2172 wrote to memory of 2440	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	39
PID 2172 wrote to memory of 1728	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	40
PID 2172 wrote to memory of 1728	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	40
PID 2172 wrote to memory of 1728	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	40
PID 2172 wrote to memory of 1652	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	42
PID 2172 wrote to memory of 1652	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	42
PID 2172 wrote to memory of 1652	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	42
PID 2172 wrote to memory of 644	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	44
PID 2172 wrote to memory of 644	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	44
PID 2172 wrote to memory of 644	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	44
PID 2172 wrote to memory of 1740	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	49
PID 2172 wrote to memory of 1740	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	49
PID 2172 wrote to memory of 1740	2172	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe	49
PID 1740 wrote to memory of 584	1740	cmd.exe	51
PID 1740 wrote to memory of 584	1740	cmd.exe	51
PID 1740 wrote to memory of 584	1740	cmd.exe	51
PID 1740 wrote to memory of 2036	1740	cmd.exe	52
PID 1740 wrote to memory of 2036	1740	cmd.exe	52
PID 1740 wrote to memory of 2036	1740	cmd.exe	52
PID 2036 wrote to memory of 1796	2036	csrss.exe	53
PID 2036 wrote to memory of 1796	2036	csrss.exe	53
PID 2036 wrote to memory of 1796	2036	csrss.exe	53
PID 2036 wrote to memory of 2644	2036	csrss.exe	54
PID 2036 wrote to memory of 2644	2036	csrss.exe	54
PID 2036 wrote to memory of 2644	2036	csrss.exe	54
PID 1796 wrote to memory of 888	1796	WScript.exe	55
PID 1796 wrote to memory of 888	1796	WScript.exe	55
PID 1796 wrote to memory of 888	1796	WScript.exe	55
PID 888 wrote to memory of 2056	888	csrss.exe	56
PID 888 wrote to memory of 2056	888	csrss.exe	56
PID 888 wrote to memory of 2056	888	csrss.exe	56
PID 888 wrote to memory of 2884	888	csrss.exe	57
PID 888 wrote to memory of 2884	888	csrss.exe	57
PID 888 wrote to memory of 2884	888	csrss.exe	57
PID 2056 wrote to memory of 2984	2056	WScript.exe	58
PID 2056 wrote to memory of 2984	2056	WScript.exe	58
PID 2056 wrote to memory of 2984	2056	WScript.exe	58
PID 2984 wrote to memory of 2012	2984	csrss.exe	59
PID 2984 wrote to memory of 2012	2984	csrss.exe	59
PID 2984 wrote to memory of 2012	2984	csrss.exe	59
PID 2984 wrote to memory of 1436	2984	csrss.exe	60
PID 2984 wrote to memory of 1436	2984	csrss.exe	60
PID 2984 wrote to memory of 1436	2984	csrss.exe	60
PID 2012 wrote to memory of 1452	2012	WScript.exe	61
PID 2012 wrote to memory of 1452	2012	WScript.exe	61
PID 2012 wrote to memory of 1452	2012	WScript.exe	61
PID 1452 wrote to memory of 2632	1452	csrss.exe	62
PID 1452 wrote to memory of 2632	1452	csrss.exe	62
PID 1452 wrote to memory of 2632	1452	csrss.exe	62
PID 1452 wrote to memory of 1988	1452	csrss.exe	63
PID 1452 wrote to memory of 1988	1452	csrss.exe	63
PID 1452 wrote to memory of 1988	1452	csrss.exe	63
PID 2632 wrote to memory of 2456	2632	WScript.exe	64
PID 2632 wrote to memory of 2456	2632	WScript.exe	64
PID 2632 wrote to memory of 2456	2632	WScript.exe	64
PID 2456 wrote to memory of 2104	2456	csrss.exe	65

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe
"C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ffN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etefoyMBZI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:584
- - C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
    "C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac57c44-2547-4fe2-8fd4-3f9f5f9edc5e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:888
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae6cb63-d4a6-4cec-953f-b78c0b3fc2ef.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6b13d91-82df-444b-ab70-cd55f435a7bd.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7899770-17dd-4d0f-9211-5ab60bdaa78a.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48799643-6f12-46f2-ae7c-ee31e7482731.vbs"
        12⤵
        
        PID:2104
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10728da9-77a6-4d0f-bb87-189819dc02d1.vbs"
        14⤵
        
        PID:1396
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4078bc91-d047-4b6a-ba2c-0941002053df.vbs"
        16⤵
        
        PID:888
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fd364c2-9bcd-4c2d-b969-73fc15274a9e.vbs"
        18⤵
        
        PID:1784
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3334db07-ac30-4cd3-96ae-91db8d31d84e.vbs"
        20⤵
        
        PID:448
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94355e65-9886-4ebc-a4f4-3a503d870303.vbs"
        22⤵
        
        PID:892
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        
        C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4dc9454-2d98-497a-871a-07db7c03b542.vbs"
        24⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc8c137e-d531-44c3-ba45-2e4395e6033a.vbs"
        24⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7765e991-1431-47b3-a135-7ff0f914e34c.vbs"
        22⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7c6351-53ec-4897-a51b-4fcea3005b01.vbs"
        20⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a78f3e4-0286-4b08-96f5-7a93ea6ac071.vbs"
        18⤵
        
        PID:496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22f29fe1-81d9-49bf-883e-7c40f2980044.vbs"
        16⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd038c8-a7a9-49b7-8239-97a1216d5be8.vbs"
        14⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa0d939-cd20-40fc-ad84-ddc898965e94.vbs"
        12⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\141c11da-6fa7-46a8-96e7-a6085b8d8541.vbs"
        10⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b88607c-ce20-49b7-b3cd-815c382aef49.vbs"
        8⤵
        
        PID:1436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48d0a17d-5e30-43a2-be21-dd4f42d5ba16.vbs"
        6⤵
        
        PID:2884
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c703e8a-91c9-46c6-b37e-1add8a50faba.vbs"
      4⤵
      PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\PerfLogs\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\WmiPrvSE.exe

Filesize
1.5MB

MD5
d783e97b37584c63b3b45c382b22a000

SHA1
6c3c4b8a5081304166c0a3c53930164efc09afac

SHA256
1e9742e9cc87cb54a64a7d914510e10bca861a995f9255f6e8d064cb76ab17ff

SHA512
683396235092e51403f8699e59f7561924575116ec239fe148f321f98c8ddc31faf87c58e620fd202b1a4b49b46a0d3bcbd875ebbecabea2dcc878f34bae717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10728da9-77a6-4d0f-bb87-189819dc02d1.vbs

Filesize
738B

MD5
1247207b321199ecb02576fced3641a1

SHA1
a8be10df013c7631a41c94bf200632086a862441

SHA256
aa7fc0fa9605b6651ca15cdb3fb21277a247397e4ef8564d07af0aa9b8a6ebb7

SHA512
8da6cb793e8543db9f14181379136fe85a174010b7c1ce5d6e9b25690a570d68315a6b8ea1919919dfd8849b5151accde417d11ba77c24312760af83997b47f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fd364c2-9bcd-4c2d-b969-73fc15274a9e.vbs

Filesize
738B

MD5
ead81416f8f67c4e5e794150bfeef5a6

SHA1
d02c28fd1874ea97cd22fb07c039bd711154c6d9

SHA256
ab442320a643df888dc23d3ff2d50c28d245b1182dcf5988da4cfadc4d476cae

SHA512
44079c3a41658ee723ed15c8d9e37cbdcd954aa1e4478482e6d9a5e4f2a13724e8bcee7c683914589d60239979e3d26cb09e7df4f521b52333a7a342075f4a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\3334db07-ac30-4cd3-96ae-91db8d31d84e.vbs

Filesize
738B

MD5
4eb2872e785b0cb3c285ea5525e214db

SHA1
eaf3117678573b8bca13cb5472178c7b9f31ef79

SHA256
4573ea0a890ae09c9315abc453697c47f1e86e2d94b9b3beb34a2f651c0df127

SHA512
66aae0142a9952afe8903f8fdde3422b6f8f8a982b81a9482091595ce4412f3dacc42fb8a0571e87f62dcee7f9a363e347f69da37fe43fb3e6e6d2c7c0f10387

Download Submit
C:\Users\Admin\AppData\Local\Temp\4078bc91-d047-4b6a-ba2c-0941002053df.vbs

Filesize
737B

MD5
f11e57638c875bedbf8f47cfa7823451

SHA1
8843314f974a7f98a200291ec14944c7d1460d47

SHA256
06311980e071a43947455f59ef33b325f322901840829bd1ac8fd85b4b43b969

SHA512
d76710c1c98bf5c732a4fd793c0de00991219853cb63f6c279279590783a4994783b45bd8fce124a9164c8485a36c043e76494947503ff2c4330057fa469a43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48799643-6f12-46f2-ae7c-ee31e7482731.vbs

Filesize
738B

MD5
ef0d4800b08e648900086346bad77080

SHA1
e8c77243729913651b56dcbf87a5c3f1a90859e1

SHA256
a4e4d32cf7a5280b787e2022dc8d848c0ec9fc7b44e6556e4a1ed37745dc9932

SHA512
e5ab3e05bc916734f9b21ac657eea381d6c7e96c349653939b6f72d72e60ffa394abb68e72bcda6cb2b4083dc3fe353c33b2ef2643c5e28bd7940cfd547cb85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c703e8a-91c9-46c6-b37e-1add8a50faba.vbs

Filesize
514B

MD5
633d38a675b4f41f81bff3a83ced8e1d

SHA1
edc0e75173f46e14bf92b1bd201572a047e30c83

SHA256
f23503976a638306bf2be61a075b3b01cba639fdc6a40927128a30fab42d5368

SHA512
892750dbd0d0a1c3b0d4e8c904030b26a2b300315e93ce738398368f11c088b6705500cc0a0465a29efd6f2c8707393b4a6bfcfa661d1846bd09383d9303cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\94355e65-9886-4ebc-a4f4-3a503d870303.vbs

Filesize
738B

MD5
db86e1ec7de313c269d0eaf41321f9e7

SHA1
7bd7f710bdc5ef7248495b3ff0be7dad09f4180d

SHA256
1cdc838369de6c9c3d6f5857784ad101eefc4eb0271b2842511defd74d203216

SHA512
491eb9351f10c2729263b00b041a9badb687b635c2f9856c40084af678a00c502bc3995e2d5406e91470b6c783b876702cda47bb78df41368a3f881fcc33819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6b13d91-82df-444b-ab70-cd55f435a7bd.vbs

Filesize
738B

MD5
ebf8e6db2f3ea169cd285cf437f71759

SHA1
87660a1d1a922a1f0cd37266e7b6e00664102818

SHA256
a93b177fca25f654cfe6f85e65ef68e80aea823df7a34c31bc3935c32623211a

SHA512
4181521409438ce397bf7f93abbc0f1cb783a4217c750df7c2419f7b06cd6542b4b0cf3e2a3143cc8c76419799c40cacf52a41365330a8e73cdbd31b038a4c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bac57c44-2547-4fe2-8fd4-3f9f5f9edc5e.vbs

Filesize
738B

MD5
353b39df61687e01373cb7fab28f0bc1

SHA1
8eddf6041bd22be27cf5dffba47c26fde0ea5159

SHA256
163933785dea7a091af6c6280aba99fc5ee641898e3a28502a7518b9ac679da4

SHA512
5df92caf749b43fc44edff3035dad3bc90d2ef022a24b04196487e6e76cba232c0e549992c4b31afbfa0ca9abe98f77fef141d09e70e90a84cf87e1a5a78a89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7899770-17dd-4d0f-9211-5ab60bdaa78a.vbs

Filesize
738B

MD5
93e73788d2a93dc622bd1a9fcecedddd

SHA1
be75504ee60ba1a06ff8473dab75bbbc9c089e56

SHA256
d4308fe0dee9427c91c9b2887c97de24744ff81927797fea676fa7c5502a0942

SHA512
b9b51bc9eaade3777225521582ed9e7a1b2456658b8e338f1aa7a550110cf3cf18b3ec7ad8f5d53cf70c501686fae152d984771a88e52c8be672cb101f7379c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4dc9454-2d98-497a-871a-07db7c03b542.vbs

Filesize
738B

MD5
d725eb4a6865b771ec197e3454a99223

SHA1
7c6b43a9fef59b469b8a4ebd14d4a5224b956714

SHA256
ec2da75386edc904575b8a9b61dc7774ed530f4c3c7f9a8c838da291d86dd1b8

SHA512
187f6b79ad77dd6bede8b2b31e294579005c902c9fa71565b3d3a2d84bce8915b6055ff346cd14aa70fc78dc6a78bd23d9d9c9c8f1fb4b327f33570c76148e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eae6cb63-d4a6-4cec-953f-b78c0b3fc2ef.vbs

Filesize
737B

MD5
0165ab3c13308f5bba919edf86e1057d

SHA1
deace50f3e35de8169544150ba26180686cdc3e1

SHA256
1de9b4df107a176162fc0400e5e2c7bc50c892e06cf995ceed4bbb9fdf7f3076

SHA512
3a2d3482579e2cb94f3be3906a5e237a4d774833a1dfe774710c1ee3e2c3a58de9b83c087b7af925458cd87035ec30bfe56e1839ff76ad4978be4364e7cabf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\etefoyMBZI.bat

Filesize
226B

MD5
410e71487ad36a788435adb64b64d73f

SHA1
06b86c0c41efe1d8cf58602a08e759b6c4324118

SHA256
806a72af0c5b799275a055910a39987a369ec4ce96f31b6193afa9a165112d04

SHA512
1e992af61326953e3fdcf44c0fa748c57d47bbc65490e8623a9916fe661620ecef02f7e0c560c5a486aea1b6faf70ffe98a04595e95d44f1058eef89c73ba4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e6321b283bfbd487192d39ff559324c

SHA1
f2f72b0c886f79b3e6853060eb9810e13b0b8f01

SHA256
fa8e9b93757b899dfb0c97f189d4cf48b3f3c83adea923bab7db5e690037b9e5

SHA512
9e174d5563ae51b0af522a8ca255e6daa6ce8cfa5c8ffdd206546198b01b71b8e121f2c15e00aa8fd3823a66b7e31d3ac9c003509db1b62dd6b52c8e0dd8f627

Download Submit
memory/644-95-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/844-180-0x0000000001290000-0x000000000140E000-memory.dmp

Filesize
1.5MB

Download
memory/888-122-0x0000000001160000-0x00000000012DE000-memory.dmp

Filesize
1.5MB

Download
memory/1164-214-0x0000000000230000-0x00000000003AE000-memory.dmp

Filesize
1.5MB

Download
memory/1452-145-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1544-227-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1544-226-0x00000000009E0000-0x0000000000B5E000-memory.dmp

Filesize
1.5MB

Download
memory/1728-103-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1924-168-0x0000000000120000-0x000000000029E000-memory.dmp

Filesize
1.5MB

Download
memory/2036-111-0x0000000000290000-0x000000000040E000-memory.dmp

Filesize
1.5MB

Download
memory/2172-11-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2172-9-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2172-13-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/2172-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2172-43-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-12-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2172-15-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2172-14-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/2172-10-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2172-8-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2172-24-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-96-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-7-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2172-21-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2172-6-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2172-20-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/2172-5-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2172-4-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2172-3-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2172-18-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/2172-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-17-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/2172-16-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/2172-1-0x0000000000150000-0x00000000002CE000-memory.dmp

Filesize
1.5MB

Download