dcrat | 2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Size

4.9MB
MD5

fa51bf709923fc828149634c38cd60e0
SHA1

c6ff8deac79ee442ec3fd2bd034264f07f9964a1
SHA256

2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8
SHA512

e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2720	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2720	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/388-3-0x000000001B430000-0x000000001B55E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2296	powershell.exe
1976	powershell.exe
1992	powershell.exe
824	powershell.exe
2228	powershell.exe
2092	powershell.exe
2664	powershell.exe
2644	powershell.exe
2684	powershell.exe
1608	powershell.exe
796	powershell.exe
1672	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2528	lsm.exe
2924	lsm.exe
2588	lsm.exe
2000	lsm.exe
1384	lsm.exe
2528	lsm.exe
1232	lsm.exe
1808	lsm.exe
2704	lsm.exe
828	lsm.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\101b941d020240	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXEA02.tmp	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCXEC06.tmp	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File created	C:\Program Files\Microsoft Games\lsass.exe	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File opened for modification	C:\Program Files\Microsoft Games\lsass.exe	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
File created	C:\Program Files\Microsoft Games\6203df4a6bafc7	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2640	schtasks.exe
2832	schtasks.exe
2872	schtasks.exe
2756	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
2644	powershell.exe
2684	powershell.exe
2228	powershell.exe
1992	powershell.exe
824	powershell.exe
2664	powershell.exe
796	powershell.exe
1672	powershell.exe
2092	powershell.exe
1976	powershell.exe
2296	powershell.exe
1608	powershell.exe
2528	lsm.exe
2924	lsm.exe
2588	lsm.exe
2000	lsm.exe
1384	lsm.exe
2528	lsm.exe
1232	lsm.exe
1808	lsm.exe
2704	lsm.exe
828	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2528	lsm.exe
Token: SeDebugPrivilege	2924	lsm.exe
Token: SeDebugPrivilege	2588	lsm.exe
Token: SeDebugPrivilege	2000	lsm.exe
Token: SeDebugPrivilege	1384	lsm.exe
Token: SeDebugPrivilege	2528	lsm.exe
Token: SeDebugPrivilege	1232	lsm.exe
Token: SeDebugPrivilege	1808	lsm.exe
Token: SeDebugPrivilege	2704	lsm.exe
Token: SeDebugPrivilege	828	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2644	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	38
PID 388 wrote to memory of 2644	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	38
PID 388 wrote to memory of 2644	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	38
PID 388 wrote to memory of 2664	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	39
PID 388 wrote to memory of 2664	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	39
PID 388 wrote to memory of 2664	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	39
PID 388 wrote to memory of 2684	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	40
PID 388 wrote to memory of 2684	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	40
PID 388 wrote to memory of 2684	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	40
PID 388 wrote to memory of 2228	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	42
PID 388 wrote to memory of 2228	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	42
PID 388 wrote to memory of 2228	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	42
PID 388 wrote to memory of 2296	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	43
PID 388 wrote to memory of 2296	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	43
PID 388 wrote to memory of 2296	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	43
PID 388 wrote to memory of 2092	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	45
PID 388 wrote to memory of 2092	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	45
PID 388 wrote to memory of 2092	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	45
PID 388 wrote to memory of 1672	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	46
PID 388 wrote to memory of 1672	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	46
PID 388 wrote to memory of 1672	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	46
PID 388 wrote to memory of 824	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	47
PID 388 wrote to memory of 824	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	47
PID 388 wrote to memory of 824	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	47
PID 388 wrote to memory of 1992	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	48
PID 388 wrote to memory of 1992	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	48
PID 388 wrote to memory of 1992	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	48
PID 388 wrote to memory of 796	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	49
PID 388 wrote to memory of 796	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	49
PID 388 wrote to memory of 796	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	49
PID 388 wrote to memory of 1608	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	50
PID 388 wrote to memory of 1608	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	50
PID 388 wrote to memory of 1608	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	50
PID 388 wrote to memory of 1976	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	51
PID 388 wrote to memory of 1976	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	51
PID 388 wrote to memory of 1976	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	51
PID 388 wrote to memory of 1408	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	62
PID 388 wrote to memory of 1408	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	62
PID 388 wrote to memory of 1408	388	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe	62
PID 1408 wrote to memory of 496	1408	cmd.exe	64
PID 1408 wrote to memory of 496	1408	cmd.exe	64
PID 1408 wrote to memory of 496	1408	cmd.exe	64
PID 1408 wrote to memory of 2528	1408	cmd.exe	65
PID 1408 wrote to memory of 2528	1408	cmd.exe	65
PID 1408 wrote to memory of 2528	1408	cmd.exe	65
PID 2528 wrote to memory of 2832	2528	lsm.exe	66
PID 2528 wrote to memory of 2832	2528	lsm.exe	66
PID 2528 wrote to memory of 2832	2528	lsm.exe	66
PID 2528 wrote to memory of 2640	2528	lsm.exe	67
PID 2528 wrote to memory of 2640	2528	lsm.exe	67
PID 2528 wrote to memory of 2640	2528	lsm.exe	67
PID 2832 wrote to memory of 2924	2832	WScript.exe	68
PID 2832 wrote to memory of 2924	2832	WScript.exe	68
PID 2832 wrote to memory of 2924	2832	WScript.exe	68
PID 2924 wrote to memory of 1856	2924	lsm.exe	69
PID 2924 wrote to memory of 1856	2924	lsm.exe	69
PID 2924 wrote to memory of 1856	2924	lsm.exe	69
PID 2924 wrote to memory of 1248	2924	lsm.exe	70
PID 2924 wrote to memory of 1248	2924	lsm.exe	70
PID 2924 wrote to memory of 1248	2924	lsm.exe	70
PID 1856 wrote to memory of 2588	1856	WScript.exe	71
PID 1856 wrote to memory of 2588	1856	WScript.exe	71
PID 1856 wrote to memory of 2588	1856	WScript.exe	71
PID 2588 wrote to memory of 748	2588	lsm.exe	72

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe
"C:\Users\Admin\AppData\Local\Temp\2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vf1Vq2YPmL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:496
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deaa0ec7-03e3-4cc3-82c3-4564f863ca88.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2924
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac182583-71cd-4aea-aaef-c2947b215af4.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c5a9e4-123e-4f7b-b680-ef1caed5ebb4.vbs"
        8⤵
        
        PID:748
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c079545-bff1-4e96-92ff-314a82e527c8.vbs"
        10⤵
        
        PID:2844
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7307640-ae5e-4a2e-8152-55e31f9f734a.vbs"
        12⤵
        
        PID:2764
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba89500-691f-47c4-803d-453d23a446bf.vbs"
        14⤵
        
        PID:2960
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adcf271-6c59-4c3d-8439-651e4e74edcb.vbs"
        16⤵
        
        PID:2444
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\096b7f99-5953-4ea5-b756-016bd57d1888.vbs"
        18⤵
        
        PID:1964
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ccf0fd5-ccb2-406d-9305-2cff20f06363.vbs"
        20⤵
        
        PID:2744
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c1979d-17ad-4b79-ac55-5c76084db0ab.vbs"
        22⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13911cd1-42c0-4c53-9890-32802416979a.vbs"
        22⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db9353be-a297-458d-bc13-101bfc7b6488.vbs"
        20⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4581519-d4e4-438c-baa6-c8d47f952dea.vbs"
        18⤵
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7ca28b-21e0-4dfc-91cb-6f868c5328e4.vbs"
        16⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c894148-c1c5-4868-9049-96a45c7ad19a.vbs"
        14⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb85a30a-117f-4dd5-81e2-50af1054d902.vbs"
        12⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca441e2b-137f-4652-8e97-2af40dab9d63.vbs"
        10⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4dcd3ca-7836-42f6-844c-5500c5600c91.vbs"
        8⤵
        
        PID:1984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553c3c55-df82-4f0b-bcec-1563826dd7cb.vbs"
        6⤵
        
        PID:1248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb7ba160-d497-4c8a-a61a-eb0eced24f54.vbs"
      4⤵
      PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\lsass.exe

Filesize
4.9MB

MD5
fa51bf709923fc828149634c38cd60e0

SHA1
c6ff8deac79ee442ec3fd2bd034264f07f9964a1

SHA256
2714c93b3290c1f48c074ed546cbad5602c1f3a495a02ab42c1d5f76d18c1ab8

SHA512
e46cc7817882abacb5096fa0192d9fbc0fa778bfd4128da6a59e522645321558f15e7765d6aba73707bbf4647008d395ffeb76723f6043bd06b56eec06f07dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\096b7f99-5953-4ea5-b756-016bd57d1888.vbs

Filesize
755B

MD5
fab51649d581e3561a25f68a2ac25133

SHA1
9f8ef1ada3898b919d84c142baf9065ab8bd8ed7

SHA256
fec7aa3d49775ce22ccd4c27a62eccf0d30b5ecac12c89fa5bd624d277b76cb3

SHA512
ac70fcbf7d7741382fa81c1df36e60d3d11d4ef776c4f51ec359fbe89284933a98867d4ffd1db4bb488c23953538e616807032f6ce5be41c09839e4fe95e4536

Download Submit
C:\Users\Admin\AppData\Local\Temp\35c1979d-17ad-4b79-ac55-5c76084db0ab.vbs

Filesize
754B

MD5
93f41f82c902c0d0348b167a29c9cb6c

SHA1
e61b713e191edee92c4a538ab428e21fdad3a2f9

SHA256
68e8dca21f0ad4adf0932b7e626555165d0bdb50b8a4490f913af895843024ef

SHA512
3765af3769a077924a41667e0acfe653b0df65dbc1b95fc4e5e53f74197ad044b4649c11cbe631330b2dc2afe0f7a4e09ee9fd4d53c3be30862d00714512787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ccf0fd5-ccb2-406d-9305-2cff20f06363.vbs

Filesize
755B

MD5
98daa01ad303f597365ba8fc4d5fe5ae

SHA1
edbcb20409667a6ab1e261c87624765025ed1435

SHA256
b55fbc636010933450e0898ef9d596225ebd4fbf6e40defd6ad0f8666b59250b

SHA512
6cd1fbe076f3a208f5aed3a31b5c27739f3b632dc77fb995890889b37da22778d6a60995b9b0a7256206a457f72b2800d768c346d6de981e3fb6cf9e8dfef7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c079545-bff1-4e96-92ff-314a82e527c8.vbs

Filesize
755B

MD5
4dcff34b21dcafe48dfc2f546ceb43a9

SHA1
2fb4d24d9409434584fdcce31dffed1d8026744f

SHA256
dcd4c12d9817a5abce4736afc142012a6cc403198fb8fbf8ae798b706e265d42

SHA512
9fa401c7c8c058c80a82843e1a37fc053cccaa0a31807aef9743e84a282cddf52fd637f52fa732d16bc3bd47f3b785ecf4e631adbec6addb310f5794df2b28b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8adcf271-6c59-4c3d-8439-651e4e74edcb.vbs

Filesize
755B

MD5
351d8b0a93daf1dbb7c479f931b9108f

SHA1
966c501d170639524bf8e9d9e654d42516e51615

SHA256
510cf1137d511140d07deb1b7557a0e6b1de1ca9c6b3b4379de1bec698160595

SHA512
0b66cbe1430f9ae936328704e757ff87384467d19187906cf1a1b17c79a53670e6d34bbbe48e022e27951934480f557a99a95182d51584b1a0ebea66875fd0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7307640-ae5e-4a2e-8152-55e31f9f734a.vbs

Filesize
755B

MD5
1c2b6fad6155332e6b2b9c892784a205

SHA1
c6942ac01f3c3af873c872e33cc7cf5619a57a26

SHA256
84a132ca5f5676e32f0a4363cb1350d86fdde4148769563dd90ef4d068d0e3da

SHA512
8d2645b70b2a6ef84b023a172e1d677fc39e16d1dc1053a47472c4f9a004ff26fc31da8df5f3c1002b3b84f979a08469f98d01aebe707000656f3c8f58eb2c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac182583-71cd-4aea-aaef-c2947b215af4.vbs

Filesize
755B

MD5
1cefbe030e957d967207a8f79ff1d27f

SHA1
79e271ff06ba06e1b3dd9b5507968ac9fb797574

SHA256
3e74d139f82abbf746998f4cd635e453d5be5be6284dc22970088d81ea5d9f15

SHA512
a4f292ec6fa6dc609b9d733e7439bbf87289753494639e3f269e372e64ad0e3661383c61d5f4438ae09d353cc944d89e577c259c6e650dc4b3adeeb06313f8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8c5a9e4-123e-4f7b-b680-ef1caed5ebb4.vbs

Filesize
755B

MD5
eb6f6f79084872b2da58d5839d7e5675

SHA1
434f05e3ff512324a33ffb29e77c817629833ee4

SHA256
f13430a53351c929788dd23b7fea74f598aad9323b996b9d05d23a146939308d

SHA512
4cd35c7098dd314be88399473efee21c7117e539d60ebd184c508f7e56ff4b12df30ce7c5fc6f252b907524edb9bfab04ae061bf9b785af3df407c65fe193936

Download Submit
C:\Users\Admin\AppData\Local\Temp\deaa0ec7-03e3-4cc3-82c3-4564f863ca88.vbs

Filesize
755B

MD5
2daf4253372a44dfea5ce7ba9c547bce

SHA1
5d4fc90e4574ba0a92dec2e73e996aa7aeb4805f

SHA256
862c78d8b28107a649733adfc5eeeee1bd17d47a34d301997bf5767cebf5427d

SHA512
9f740121bc10c8eeda727c6358694a345f5f422c84d64e40720530bce5f666de4a6bb061918cafc6c0e3a24f3b3fcb64229f5e2a3e5876229f47575f8923b58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb7ba160-d497-4c8a-a61a-eb0eced24f54.vbs

Filesize
531B

MD5
25ae8b32af1a50062e1f5b8e8303f942

SHA1
3aa338c1ef3486c079d6c5c2ba538b0ee4bf2e96

SHA256
9819d8213502df616c1d08550ef2109703d4d5cf15593866edd439ae10f06760

SHA512
227359130398924a945b569a153f1731243f717375860309076fd408d2c94730f9afb70393921ed7002c570579137446a43a86f472a579b2ae38d440468f9bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42CA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vf1Vq2YPmL.bat

Filesize
244B

MD5
18a355a02434fdb5c5821448b68ca3e2

SHA1
18a15f70bd6620cf46907399597922767a4a06a3

SHA256
517d21b33e8a831302ca0769c9879fdad3a4970e3c0d4570079199f98b4f8f6c

SHA512
2cd3e0a9ab2314fd81189dae51e5f7faabf980bc7d9f49672c91ed6c5aa52e63eba1a4f4b8d8b1aa6397a511ee5096e47e6f3f06f3a43f2c97edd40339cb8671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
995447079187371480abf82b5940fb31

SHA1
7f92014d1beeec973def37b9751c8f97d433135b

SHA256
28fa7c2f2692bf5617266c6f83cc38ac2189cc89c8750b5b4573ff6fcb2ac31a

SHA512
78cde03eb4341fe1f4c83d4f662babee0bffa57388496e13d4978d39b24a05ee6ad01be951a83971976280be1c387049080e9bfaf949ebd32da58ac063808a02

Download Submit
memory/388-11-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/388-15-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/388-16-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/388-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/388-13-0x0000000000C10000-0x0000000000C1E000-memory.dmp

Filesize
56KB

Download
memory/388-1-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/388-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/388-84-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/388-12-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/388-7-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/388-2-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/388-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/388-10-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/388-3-0x000000001B430000-0x000000001B55E000-memory.dmp

Filesize
1.2MB

Download
memory/388-9-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/388-8-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/388-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/388-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/828-245-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/1232-200-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/1384-169-0x0000000000CB0000-0x00000000011A4000-memory.dmp

Filesize
5.0MB

Download
memory/1808-215-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/2000-154-0x0000000000C90000-0x0000000001184000-memory.dmp

Filesize
5.0MB

Download
memory/2528-108-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download
memory/2528-185-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2528-184-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/2528-109-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2588-139-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2588-138-0x00000000003C0000-0x00000000008B4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-47-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2644-56-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2704-230-0x00000000008F0000-0x0000000000DE4000-memory.dmp

Filesize
5.0MB

Download
memory/2924-123-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download