dcrat | 667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef9c94ed2f87a7be79dfaaa427604df4.exe
Size

1.1MB
MD5

ef9c94ed2f87a7be79dfaaa427604df4
SHA1

ca7fc1e83b76575b172d1e8da2b95a32929004a4
SHA256

897d2f5a9ba328ff88d123d0900e9727fed9da63b44e870f0369233510a8ec04
SHA512

4065d78cd8fa37cd0155fb13f173397601b1b1a669bfd8b8bf7bb0be31c0521aaa03d1dfd18bb437cb154a12e64c9083322d348334829ee79d4b6837d4e4d9dd
SSDEEP

12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\Offline Web Pages\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\Offline Web Pages\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Windows\\System32\\perfh007\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\Offline Web Pages\\sppsvc.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\", \"C:\\Windows\\System32\\msftedit\\dwm.exe\", \"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\", \"C:\\Windows\\System32\\chgport\\dllhost.exe\", \"C:\\Windows\\System32\\KBDSG\\smss.exe\", \"C:\\PerfLogs\\Admin\\OSPPSVC.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\Offline Web Pages\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Windows\\System32\\perfh007\\csrss.exe\", \"C:\\Windows\\System32\\NlsData0045\\winlogon.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2800	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2976	powershell.exe
2064	powershell.exe
1652	powershell.exe
620	powershell.exe
2208	powershell.exe
1384	powershell.exe
2172	powershell.exe
2088	powershell.exe
2020	powershell.exe
852	powershell.exe
1932	powershell.exe
1160	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ef9c94ed2f87a7be79dfaaa427604df4.exe

Executes dropped EXE 11 IoCs

pid	Process
2692	csrss.exe
2184	csrss.exe
2144	csrss.exe
2112	csrss.exe
1284	csrss.exe
2776	csrss.exe
2640	csrss.exe
2932	csrss.exe
1304	csrss.exe
2900	csrss.exe
1292	csrss.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\msftedit\\dwm.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Installer\\{90140000-002A-0000-1000-0000000FF1CE}\\spoolsv.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\chgport\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\chgport\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Offline Web Pages\\sppsvc.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\perfh007\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\NlsData0045\\winlogon.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\msftedit\\dwm.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\KBDSG\\smss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\PerfLogs\\Admin\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\PerfLogs\\Admin\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\perfh007\\csrss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\NlsData0045\\winlogon.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\KBDSG\\smss.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Offline Web Pages\\sppsvc.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef9c94ed2f87a7be79dfaaa427604df4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\NlsLexicons0009\dllhost.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\NlsLexicons0009\5940a34987c991	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\msftedit\dwm.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\chgport\dllhost.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\perfh007\886983d96e3d3e	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\NlsData0045\winlogon.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\chgport\RCX3518.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\KBDSG\RCX371C.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\NlsLexicons0009\dllhost.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\KBDSG\69ddcba757bf72	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\perfh007\csrss.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\NlsLexicons0009\RCX2EA0.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\msftedit\RCX3111.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\KBDSG\smss.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\perfh007\csrss.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\NlsData0045\RCX43A0.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\msftedit\6cb0b6c459d5d3	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\chgport\dllhost.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\chgport\5940a34987c991	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\KBDSG\smss.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\NlsData0045\cc11b995f2a76d	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\msftedit\dwm.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\perfh007\RCX419C.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\NlsData0045\winlogon.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\f3b6ecef712a24	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\Offline Web Pages\sppsvc.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\Offline Web Pages\0a1fd5f707cd16	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX3315.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\spoolsv.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX3D28.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Offline Web Pages\sppsvc.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\spoolsv.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
960	schtasks.exe
1252	schtasks.exe
1900	schtasks.exe
3052	schtasks.exe
1040	schtasks.exe
3048	schtasks.exe
2596	schtasks.exe
2944	schtasks.exe
2096	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
1160	powershell.exe
1652	powershell.exe
852	powershell.exe
2088	powershell.exe
2064	powershell.exe
2976	powershell.exe
1384	powershell.exe
620	powershell.exe
1932	powershell.exe
2020	powershell.exe
2208	powershell.exe
2172	powershell.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe
2692	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2692	csrss.exe
Token: SeDebugPrivilege	2184	csrss.exe
Token: SeDebugPrivilege	2144	csrss.exe
Token: SeDebugPrivilege	2112	csrss.exe
Token: SeDebugPrivilege	1284	csrss.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	2640	csrss.exe
Token: SeDebugPrivilege	2932	csrss.exe
Token: SeDebugPrivilege	1304	csrss.exe
Token: SeDebugPrivilege	2900	csrss.exe
Token: SeDebugPrivilege	1292	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1932	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	42
PID 2216 wrote to memory of 1932	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	42
PID 2216 wrote to memory of 1932	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	42
PID 2216 wrote to memory of 2172	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	43
PID 2216 wrote to memory of 2172	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	43
PID 2216 wrote to memory of 2172	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	43
PID 2216 wrote to memory of 1160	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	44
PID 2216 wrote to memory of 1160	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	44
PID 2216 wrote to memory of 1160	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	44
PID 2216 wrote to memory of 2088	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	45
PID 2216 wrote to memory of 2088	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	45
PID 2216 wrote to memory of 2088	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	45
PID 2216 wrote to memory of 2976	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	46
PID 2216 wrote to memory of 2976	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	46
PID 2216 wrote to memory of 2976	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	46
PID 2216 wrote to memory of 2020	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	47
PID 2216 wrote to memory of 2020	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	47
PID 2216 wrote to memory of 2020	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	47
PID 2216 wrote to memory of 2064	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	48
PID 2216 wrote to memory of 2064	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	48
PID 2216 wrote to memory of 2064	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	48
PID 2216 wrote to memory of 1652	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	49
PID 2216 wrote to memory of 1652	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	49
PID 2216 wrote to memory of 1652	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	49
PID 2216 wrote to memory of 620	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	50
PID 2216 wrote to memory of 620	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	50
PID 2216 wrote to memory of 620	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	50
PID 2216 wrote to memory of 2208	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	51
PID 2216 wrote to memory of 2208	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	51
PID 2216 wrote to memory of 2208	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	51
PID 2216 wrote to memory of 1384	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	52
PID 2216 wrote to memory of 1384	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	52
PID 2216 wrote to memory of 1384	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	52
PID 2216 wrote to memory of 852	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	53
PID 2216 wrote to memory of 852	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	53
PID 2216 wrote to memory of 852	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	53
PID 2216 wrote to memory of 2372	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	66
PID 2216 wrote to memory of 2372	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	66
PID 2216 wrote to memory of 2372	2216	ef9c94ed2f87a7be79dfaaa427604df4.exe	66
PID 2372 wrote to memory of 2412	2372	cmd.exe	68
PID 2372 wrote to memory of 2412	2372	cmd.exe	68
PID 2372 wrote to memory of 2412	2372	cmd.exe	68
PID 2372 wrote to memory of 2692	2372	cmd.exe	69
PID 2372 wrote to memory of 2692	2372	cmd.exe	69
PID 2372 wrote to memory of 2692	2372	cmd.exe	69
PID 2692 wrote to memory of 2040	2692	csrss.exe	70
PID 2692 wrote to memory of 2040	2692	csrss.exe	70
PID 2692 wrote to memory of 2040	2692	csrss.exe	70
PID 2692 wrote to memory of 2084	2692	csrss.exe	71
PID 2692 wrote to memory of 2084	2692	csrss.exe	71
PID 2692 wrote to memory of 2084	2692	csrss.exe	71
PID 2040 wrote to memory of 2184	2040	WScript.exe	72
PID 2040 wrote to memory of 2184	2040	WScript.exe	72
PID 2040 wrote to memory of 2184	2040	WScript.exe	72
PID 2184 wrote to memory of 2984	2184	csrss.exe	73
PID 2184 wrote to memory of 2984	2184	csrss.exe	73
PID 2184 wrote to memory of 2984	2184	csrss.exe	73
PID 2184 wrote to memory of 904	2184	csrss.exe	74
PID 2184 wrote to memory of 904	2184	csrss.exe	74
PID 2184 wrote to memory of 904	2184	csrss.exe	74
PID 2984 wrote to memory of 2144	2984	WScript.exe	75
PID 2984 wrote to memory of 2144	2984	WScript.exe	75
PID 2984 wrote to memory of 2144	2984	WScript.exe	75
PID 2144 wrote to memory of 3056	2144	csrss.exe	76

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe
"C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons0009\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msftedit\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\chgport\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDSG\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\perfh007\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData0045\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4blGOQXimE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2412
- - C:\Windows\System32\perfh007\csrss.exe
    "C:\Windows\System32\perfh007\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11771b8-1934-4288-8ddf-8a77034390ca.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab0a182-49d2-4779-9881-ed92f0368486.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e1cd6e-ba8f-4f8c-b732-55ada97d9123.vbs"
        8⤵
        
        PID:3056
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df075f0a-cda3-4ba2-8ab9-5964ee9d5641.vbs"
        10⤵
        
        PID:3032
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38a4f624-d213-4157-99f5-2475317e0615.vbs"
        12⤵
        
        PID:2736
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\001967fd-a8a8-4952-9230-c8441fd12b4f.vbs"
        14⤵
        
        PID:2748
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e04bd44-cbb9-4738-9e38-e951868b4afd.vbs"
        16⤵
        
        PID:2004
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\120d482a-ee38-48be-b09f-ab7723b845b9.vbs"
        18⤵
        
        PID:2224
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94344d8f-c19c-4a0e-a685-3c8d306f00d0.vbs"
        20⤵
        
        PID:1012
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb3c9985-4c61-420b-b879-22e7fb556ba4.vbs"
        22⤵
        
        PID:320
        
        C:\Windows\System32\perfh007\csrss.exe
        
        C:\Windows\System32\perfh007\csrss.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\906661d7-07ab-432c-9c12-5b24dd9b556b.vbs"
        24⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f5e290f-48a1-4323-aa9c-aa5cec2c9ccb.vbs"
        24⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb8ad68-5743-4c0d-9f06-38daa0c96d8d.vbs"
        22⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\029eae02-84db-415b-ab3e-bb8e7d730da1.vbs"
        20⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca1756e-3644-4094-bd4e-b019db845cf7.vbs"
        18⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\079f639f-baae-4ab3-9060-591bfabf4e1e.vbs"
        16⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\779d94f1-62eb-40aa-bc3d-35acd97b0e90.vbs"
        14⤵
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6afe5c4-7d1e-42b9-a989-19ca265d85b2.vbs"
        12⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e0ff2a0-69a8-4120-9527-e7c91c387b1c.vbs"
        10⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2dd3ca-6848-44ea-9af8-4234d0c479a1.vbs"
        8⤵
        
        PID:3012
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ebad2e-8361-4ece-b41f-8ba65bed494e.vbs"
        6⤵
        
        PID:904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08f206d6-356d-48b6-9c4d-9d44e8226fcb.vbs"
      4⤵
      PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0009\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\msftedit\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\chgport\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\KBDSG\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\PerfLogs\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\perfh007\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0045\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001967fd-a8a8-4952-9230-c8441fd12b4f.vbs

Filesize
714B

MD5
60869c7a1f8036acdb6bbbcec39a7bad

SHA1
ca04ecd99fb49b9fa1fe9552ebeb3664b1637ac9

SHA256
a840a2922298f6d588ab944cbffb1a9002c2bbb1109f8b4508c8a56b0dcb53dd

SHA512
e04e09c641f87d61f22de39d170b8eb48a429cc8664a05c96315a84be107acf00af8d6a1bbac1ddbb9d50e6a9932cfda176778baa395c6c724a884c476c62e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\08f206d6-356d-48b6-9c4d-9d44e8226fcb.vbs

Filesize
490B

MD5
384f095b39f93fbf8b9afa28a8b17b4e

SHA1
22112b83c03005bfee2b8061fa6bb62a8170fefc

SHA256
8c6f11d0eeb323eee3a689930ee59d8110e79c8741b785762bd1f429a8221a1a

SHA512
d370ee00a29a1e29f72ba68fa237147bd5f7e0d52d4fc1bb2b8646506ef6fab2365726c8643485f0d283732f81fbf7e5ed16b8c7c232de2a4ff5a56f88b8dd36

Download Submit
C:\Users\Admin\AppData\Local\Temp\120d482a-ee38-48be-b09f-ab7723b845b9.vbs

Filesize
714B

MD5
ae98edab8b9e4e7bb0e628f6b6137b31

SHA1
382a011d8695f438a6b0c218724710f8950d955a

SHA256
a04c01782342709ce7df77b8e7987f832497ca6d718bcef3d74480e5f464a8b9

SHA512
babfae69beb9ea103d47e6afee8f879a823350f2b865dc780e929c2569664e0ba9a9a7f749b1fa879ded1abb3a6da4d479ad1a1a2ee0c3345884de4375922ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e04bd44-cbb9-4738-9e38-e951868b4afd.vbs

Filesize
714B

MD5
9bc6d23504d59cb02df3def4eea03c59

SHA1
6d178aeb596b9d3475406ea6b0c9ae68f22c1079

SHA256
c4a552f5380e3c5102feb7b7de0fdf72670e08dc4428a4297d524ba85c660821

SHA512
414fe30d93e3c0c0dbaf371d43a40fe899dd2a18f1d5cdba67e23f32d37a763186d7c529942f55249407b6b83557df2969b59b388d03de03c012cfe943b5aac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\38a4f624-d213-4157-99f5-2475317e0615.vbs

Filesize
714B

MD5
bfa2e2da6938c8a54ec98338ed6404a6

SHA1
ee67af04b3ea751d9659ace00781366de333ad16

SHA256
8483fefcd2dd799982c3eafa3dd56cbf8919d97f5c5c352d54c9d4b0a5fb076c

SHA512
e1f9b3af608c30aa82bc5e691cec91667dcf784f2ba4b8840cb69b9cc9a984bec2b430c94d6af78abd30ce13dc3556a3ce92b5c08971f46598f502ffccfc6522

Download Submit
C:\Users\Admin\AppData\Local\Temp\4blGOQXimE.bat

Filesize
202B

MD5
8614117b9554178e4f7b2cd967cad85d

SHA1
b63071742bf3afa175d6f323b81aacf16ba21aed

SHA256
d0bd4bb43d46f29a4fe4938a5e6c0447ad509376e2cacf961baf2cdebdb02861

SHA512
90e1f2ec39dc9542f0d816798de1415d71c880e97efdec791ae92affc57a33ecf93abe70cf20db00d291c2f955e12d25c4d1639771f60c7d900dfcb19c20e13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\906661d7-07ab-432c-9c12-5b24dd9b556b.vbs

Filesize
714B

MD5
550152bdfcd4968c82b4319068c94266

SHA1
989a30c782d10c4eec2bf660a1f8a3b5ce64d602

SHA256
000f39ec07264c064eff54e8823d89679bb44969d335e79a839a4c4502ec9222

SHA512
794df99e0d1bfd41ea1c04fb13ab4b0972d81e6524704cb8bf8a84f3d64ff68757251cc6b5d0aebc59565874e18ab7eef75505481ed562bdf6d9e26e5b4a3e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\94344d8f-c19c-4a0e-a685-3c8d306f00d0.vbs

Filesize
714B

MD5
d15e63686fcc90d033b0e6dc1e1e92c2

SHA1
920a2dcfb811d11e00d7f0014b5a24456dc63617

SHA256
c65463ce909d86ed120a28c001acfff47fa344f61e8c881bfb204cb09a8fb539

SHA512
15e3adc8245e3d2221e05a254a3bc79719de5c45e4215d59adcfca3635b4f44fcc716ad801a2c83f642c14b0165e74224efb7bacd89d5f54dcffcfbc6af469ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d11771b8-1934-4288-8ddf-8a77034390ca.vbs

Filesize
714B

MD5
5b205ec53a833171e17b3bc431c356b4

SHA1
31e52e51358de451569a9d2f1edb971ac5cc8983

SHA256
df89ba55c0d48b6fed227b0cc8f9d24a91d7147c1fffaafd7f8f8af6b249182d

SHA512
71b9d1bed30d4b6008b5b2607a03b16fe5dfb41f3a66cf3912d62ae1684c71c4eb9b8b30b6e5b70eb0605bf1ed7b1365fd9c337d8c9abc0bd8a663492ccf2a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab0a182-49d2-4779-9881-ed92f0368486.vbs

Filesize
714B

MD5
0214f3d8e31a117c82e0afd667bd1dc6

SHA1
d4d2cfb90e1684c6255d16b34a37a95bad789c46

SHA256
936fe996b711677f879421960c11f97b9d1927ccd7a7c4659ff9cf0f8eda1491

SHA512
6622aa4d4bf2cd5bd6aff096f428f50fecfa802558a61ca3f462e9d8f4cf9619bdace30b6c157259e560534c16a93cd36cc35bfa58a83818a6637f717496340d

Download Submit
C:\Users\Admin\AppData\Local\Temp\df075f0a-cda3-4ba2-8ab9-5964ee9d5641.vbs

Filesize
714B

MD5
11a472546d95806604783ed8d302298a

SHA1
81f18fa929202b953e0af02dff6288ebec67d544

SHA256
3dfd841b1b143d6f1b8353cc13fad663bb8ec7f479907912f45181e82e11719b

SHA512
ea8660a7771718a5d50685169bb867ccc051591d4bf5f88738c155805156d6ae8c8fe9dd73eec4fe062a1f17ce4a4529a75a34bf0b33ba0c83c3b693877eb97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4e1cd6e-ba8f-4f8c-b732-55ada97d9123.vbs

Filesize
714B

MD5
1002720605ca6c03c3f9c774f952bcbd

SHA1
db47ce186b76f7af9b44bade7cef2d04231747e6

SHA256
cf5c17df92274c5841b2a5c79ae91e4b5f155d3d3ef081714115d2f02a7bc697

SHA512
ad450c928c0bf664b1ddaee4e5f4ecb39e7e32fee8845b4d3fed67ee19ac9357bf6c59b5646eb87f4e62042e6af46d7013a10247ce4b1b4cb68fb4f056123369

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb3c9985-4c61-420b-b879-22e7fb556ba4.vbs

Filesize
714B

MD5
7c02cf2c4f2477722572d37fb9cb6dd9

SHA1
8d173ab6e23858f7920b918113decb90eb90df2f

SHA256
09df34fff4c0eef8e581147949467b7ccc97f5f1229cf43c960fca798054c9ee

SHA512
eaef9f358a6a9a0885bef76ff710597b86699477a70bba878d1c6234fce87c59ee22404d5b5785150fd5ceed5655bb36dba910b725ccb375e29cf791729b3207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d65e248858400b0348e7beb7f53dc80c

SHA1
292cf62db5dff51ce7a009e76e924d815ddd0b84

SHA256
c9b062d5b239bd6f756650a737f563b56e7f74211f1ddf32ba1ca2c5950fe970

SHA512
46556d2690fb44fcaf81518fd1cc46fcb69e6c96aad995882bc6d9e995f4745f6b717aac08e48eda0efa44585694422f4f114405d25cd05fdb24a44e726863c2

Download Submit
C:\Windows\System32\KBDSG\smss.exe

Filesize
1.1MB

MD5
ef9c94ed2f87a7be79dfaaa427604df4

SHA1
ca7fc1e83b76575b172d1e8da2b95a32929004a4

SHA256
897d2f5a9ba328ff88d123d0900e9727fed9da63b44e870f0369233510a8ec04

SHA512
4065d78cd8fa37cd0155fb13f173397601b1b1a669bfd8b8bf7bb0be31c0521aaa03d1dfd18bb437cb154a12e64c9083322d348334829ee79d4b6837d4e4d9dd

Download Submit
C:\Windows\System32\perfh007\RCX419C.tmp

Filesize
1.1MB

MD5
1b06b97e1b0324d23810effaa7453b8e

SHA1
1e4ce10a634056e2ef9655e177d92d15ddfc741f

SHA256
9d292e943fd6741223586c3c8f34df3bdb0ca4563242366b78441035519f7488

SHA512
5e253008126d66631ae20f3212c926a0ad6a9ab95631f1b7db514ff0af05dfb4c2b8964f7c89e42bc7db41eadd0faf632b75a0036a4dae8ab14c3ad9c023d326

Download Submit
memory/1160-134-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1160-136-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1284-239-0x00000000011A0000-0x00000000012B4000-memory.dmp

Filesize
1.1MB

Download
memory/1292-312-0x0000000000100000-0x0000000000214000-memory.dmp

Filesize
1.1MB

Download
memory/1304-288-0x0000000000F20000-0x0000000001034000-memory.dmp

Filesize
1.1MB

Download
memory/2112-227-0x00000000001A0000-0x00000000002B4000-memory.dmp

Filesize
1.1MB

Download
memory/2216-12-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2216-14-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2216-128-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-21-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2216-20-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/2216-18-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/2216-17-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/2216-1-0x0000000000FA0000-0x00000000010B4000-memory.dmp

Filesize
1.1MB

Download
memory/2216-24-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-16-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2216-15-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/2216-5-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2216-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/2216-11-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/2216-6-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2216-8-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2216-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-3-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2216-9-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2216-7-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2216-10-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2216-4-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2640-264-0x0000000000A80000-0x0000000000B94000-memory.dmp

Filesize
1.1MB

Download
memory/2692-194-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2692-193-0x0000000000FE0000-0x00000000010F4000-memory.dmp

Filesize
1.1MB

Download
memory/2776-252-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2776-251-0x00000000001F0000-0x0000000000304000-memory.dmp

Filesize
1.1MB

Download
memory/2900-300-0x00000000002B0000-0x00000000003C4000-memory.dmp

Filesize
1.1MB

Download
memory/2932-276-0x0000000000040000-0x0000000000154000-memory.dmp

Filesize
1.1MB

Download