dcrat | cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6689bd9a5c795eedc631e5fbb850b7ff.exe
Size

1.5MB
MD5

6689bd9a5c795eedc631e5fbb850b7ff
SHA1

b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2
SHA256

cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b
SHA512

ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf
SSDEEP

24576:K17t7ROjwJqMAVS2hEijP79eAPkavlCCyYcBoZ11q8UuZPt5PsuWg:KBt7R0wJ4L5Uw5lCCyG31oIPmg

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\OSPPSVC.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\", \"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\", \"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4908	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3252	powershell.exe
3228	powershell.exe
3208	powershell.exe
3288	powershell.exe
3348	powershell.exe
3328	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	lsm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\services.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\it-IT\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\6689bd9a5c795eedc631e5fbb850b7ff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\Videos\\Sample Videos\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Mozilla Firefox\\uninstall\\OSPPSVC.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Help\\mui\\0C0A\\lsm.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6689bd9a5c795eedc631e5fbb850b7ff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6689bd9a5c795eedc631e5fbb850b7ff.exe\""	6689bd9a5c795eedc631e5fbb850b7ff.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe
File created	\??\c:\Windows\System32\CSC5A3F458023AE4617B1E32E8E3FB2744.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\1610b97d3ab4a7	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\OSPPSVC.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\1610b97d3ab4a7	6689bd9a5c795eedc631e5fbb850b7ff.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Help\mui\0C0A\lsm.exe	6689bd9a5c795eedc631e5fbb850b7ff.exe
File created	C:\Windows\Help\mui\0C0A\101b941d020240	6689bd9a5c795eedc631e5fbb850b7ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
904	schtasks.exe
1384	schtasks.exe
2340	schtasks.exe
2492	schtasks.exe
3084	schtasks.exe
2260	schtasks.exe
4980	schtasks.exe
2240	schtasks.exe
996	schtasks.exe
2964	schtasks.exe
3060	schtasks.exe
3176	schtasks.exe
5004	schtasks.exe
2976	schtasks.exe
1700	schtasks.exe
2668	schtasks.exe
2972	schtasks.exe
4948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
3252	powershell.exe
3328	powershell.exe
3228	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	1136	lsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 5032	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	35
PID 2988 wrote to memory of 5032	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	35
PID 2988 wrote to memory of 5032	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	35
PID 5032 wrote to memory of 5080	5032	csc.exe	37
PID 5032 wrote to memory of 5080	5032	csc.exe	37
PID 5032 wrote to memory of 5080	5032	csc.exe	37
PID 2988 wrote to memory of 3208	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	53
PID 2988 wrote to memory of 3208	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	53
PID 2988 wrote to memory of 3208	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	53
PID 2988 wrote to memory of 3228	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	54
PID 2988 wrote to memory of 3228	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	54
PID 2988 wrote to memory of 3228	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	54
PID 2988 wrote to memory of 3252	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	55
PID 2988 wrote to memory of 3252	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	55
PID 2988 wrote to memory of 3252	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	55
PID 2988 wrote to memory of 3288	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	56
PID 2988 wrote to memory of 3288	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	56
PID 2988 wrote to memory of 3288	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	56
PID 2988 wrote to memory of 3328	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	58
PID 2988 wrote to memory of 3328	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	58
PID 2988 wrote to memory of 3328	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	58
PID 2988 wrote to memory of 3348	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	59
PID 2988 wrote to memory of 3348	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	59
PID 2988 wrote to memory of 3348	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	59
PID 2988 wrote to memory of 2576	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	65
PID 2988 wrote to memory of 2576	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	65
PID 2988 wrote to memory of 2576	2988	6689bd9a5c795eedc631e5fbb850b7ff.exe	65
PID 2576 wrote to memory of 4308	2576	cmd.exe	67
PID 2576 wrote to memory of 4308	2576	cmd.exe	67
PID 2576 wrote to memory of 4308	2576	cmd.exe	67
PID 2576 wrote to memory of 4532	2576	cmd.exe	68
PID 2576 wrote to memory of 4532	2576	cmd.exe	68
PID 2576 wrote to memory of 4532	2576	cmd.exe	68
PID 2576 wrote to memory of 1136	2576	cmd.exe	69
PID 2576 wrote to memory of 1136	2576	cmd.exe	69
PID 2576 wrote to memory of 1136	2576	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe
"C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lqprenhq\lqprenhq.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAA6.tmp" "c:\Windows\System32\CSC5A3F458023AE4617B1E32E8E3FB2744.TMP"
    3⤵
    PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0C0A\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VKIqlhbWOK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4308
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4532
- - C:\Windows\Help\mui\0C0A\lsm.exe
    "C:\Windows\Help\mui\0C0A\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\uninstall\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0C0A\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6689bd9a5c795eedc631e5fbb850b7ff6" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\6689bd9a5c795eedc631e5fbb850b7ff.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDAA6.tmp

Filesize
1KB

MD5
b8fedba515fdeee3d0a770dba46f248b

SHA1
b6ab615f2dc56f8e881eeecd53da001935c3942f

SHA256
ec0e10257e6e9174d4768c2fbdf5fc005bdb33032837a7121a09e6af4cb441b1

SHA512
f1d061012bc76ccd35466e5fa3418942b091671d0bd79a574eec941e6c26686d3e82e510bce3fdefa98ecea377691554588de53de4c1193a10c65958452c5a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKIqlhbWOK.bat

Filesize
208B

MD5
8b40407f7579d9cf71018ab9fd449a2d

SHA1
8210ab7863828b30f1a5f5179b5b640d20c951fc

SHA256
675074d0500a6f99e1aab1e5a92f1db1af360e59e4e89a58bb77bcd9ca6a978a

SHA512
0c17dad69d4fabf2e3c86ba25344a24dc491a252bfc81910f6643d1c2360230f01d5af30ca8390882d9e262a40dd1ce7f051387155bbf8cd7f9cc1370f8fb2f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6c800c5a3061a822a9d81207c7a58301

SHA1
20338c133bbd681e1a66d97f289d5adfe0faf147

SHA256
5d59d396d88f796820478b6458bdde6f0678e638361fa6ae3ed56c381ebd8e73

SHA512
a6e993a099b066111e88f4744a3966fecb34e12700c56c2ff6f757b271ead69df42a2e8af53944b7d5130a824f075d75fe23a51ce3fe2c007cdedcfdb44fc78d

Download Submit
C:\Users\Public\Videos\Sample Videos\lsm.exe

Filesize
1.5MB

MD5
6689bd9a5c795eedc631e5fbb850b7ff

SHA1
b63d8e25d4eb9abea3ed0f7867f70db2ab18cba2

SHA256
cb4626ad921c63113e18c3aefb109f70c8e334089871133ea675d62d836d810b

SHA512
ff51ccd8918344bb0439a4d9e39394383bff2196496d778db9a3d2862479e55f1bf59c7d467ff055c721231cb592c3c7ded63c5af28a3f9552dc6421dd1151bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqprenhq\lqprenhq.0.cs

Filesize
376B

MD5
5e00047ef3949fcee1e41607c77233af

SHA1
6b323909ee43d464854722013edc470c8eda6f62

SHA256
9aaa78643ecbbae75b327689d64914ac59a1385c6974a31220618903619324d9

SHA512
f2c59515d5ceebd686d401d8ae454fc38078502ffd0c39524e93e009d1a9864aeb0209022de7c38cb0a1ef92ab01db51716a8bf7427b7d568ebc9fb32864fba7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqprenhq\lqprenhq.cmdline

Filesize
235B

MD5
08d84138c18a0e223695523e685ffffa

SHA1
e0d8a13f4eb8fa6febe851da8966344152672ce0

SHA256
eb3c55b9fc7bc33b2a42a5d18e3581377acf4e4dc7cf0f61d5a822277316db76

SHA512
17aba8aafa952048e9621a9977af2d7f60b10abcb9260e3e263998ee27d75638c5a49c20ec60e2d0ff72eec1a11c6affc2a10430402dca8de120351047a7e088

Download Submit
\??\c:\Windows\System32\CSC5A3F458023AE4617B1E32E8E3FB2744.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/1136-3637-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2988-38-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-24-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-12-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-18-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-26-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-34-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-40-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-56-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-62-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-66-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-64-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-60-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-58-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-54-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-52-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-50-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-48-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-46-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-44-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-42-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-3-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-36-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-32-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-30-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-28-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-4-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-22-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-20-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-16-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-14-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-10-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-8-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-6-0x000000001AD90000-0x000000001AF64000-memory.dmp

Filesize
1.8MB

Download
memory/2988-330-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3560-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3561-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3565-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2988-3563-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2988-3570-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3569-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2988-3567-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/2988-2-0x000000001AD90000-0x000000001AF6A000-memory.dmp

Filesize
1.9MB

Download
memory/2988-3572-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3583-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3585-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3584-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-3612-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-1-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2988-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/3228-3634-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/3252-3633-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download