dcrat | 26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Size

1.5MB
MD5

a5fab16bfd5f2f5b2beef03fc634c78b
SHA1

e2876e25315d4109734bd0ffa2e3d50db7550f5e
SHA256

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7
SHA512

a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRQ:EzhWhCXQFN+0IEuQgyiVK4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\", \"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\", \"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\", \"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\", \"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\", \"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\", \"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\", \"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC\\OSPPSVC.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\", \"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\", \"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC\\OSPPSVC.exe\", \"C:\\Windows\\System32\\pcwutl\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\", \"C:\\Windows\\System32\\w32topl\\lsass.exe\", \"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\", \"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2568	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2568	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe
644	powershell.exe
844	powershell.exe
2208	powershell.exe
2476	powershell.exe
1872	powershell.exe
696	powershell.exe
1108	powershell.exe
2148	powershell.exe
2180	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Executes dropped EXE 13 IoCs

pid	Process
1780	lsm.exe
2488	lsm.exe
2480	lsm.exe
2640	lsm.exe
712	lsm.exe
2136	lsm.exe
2256	lsm.exe
1252	lsm.exe
2684	lsm.exe
1608	lsm.exe
2796	lsm.exe
2716	lsm.exe
1252	lsm.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC\\OSPPSVC.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\pcwutl\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC\\OSPPSVC.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\mfc120jpn\\taskhost.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\kbdnecnt\\lsm.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\pcwutl\\csrss.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\w32topl\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\w32topl\\lsass.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\NlsLexicons0026\\wininit.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\w32topl\6203df4a6bafc7	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\NlsLexicons0026\wininit.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NlsLexicons0026\wininit.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\kbdnecnt\RCXFE80.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\kbdnecnt\lsm.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\kbdnecnt\lsm.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\kbdnecnt\101b941d020240	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\pcwutl\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\pcwutl\RCX68F.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\w32topl\lsass.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\mfc120jpn\b75386f1303e64	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\mfc120jpn\RCXFA78.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\NlsLexicons0026\RCXFC7C.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\pcwutl\csrss.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\mfc120jpn\taskhost.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\NlsLexicons0026\56085415360792	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\pcwutl\886983d96e3d3e	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\w32topl\RCXF874.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\w32topl\lsass.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\mfc120jpn\taskhost.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\1610b97d3ab4a7	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\RCX48B.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\OSPPSVC.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\OSPPSVC.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2968	schtasks.exe
2408	schtasks.exe
2084	schtasks.exe
1820	schtasks.exe
2596	schtasks.exe
2088	schtasks.exe
2488	schtasks.exe
2860	schtasks.exe
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
696	powershell.exe
2476	powershell.exe
2208	powershell.exe
2288	powershell.exe
1108	powershell.exe
2180	powershell.exe
644	powershell.exe
844	powershell.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2148	powershell.exe
1872	powershell.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe
2488	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2488	lsm.exe
Token: SeDebugPrivilege	2480	lsm.exe
Token: SeDebugPrivilege	2640	lsm.exe
Token: SeDebugPrivilege	712	lsm.exe
Token: SeDebugPrivilege	2136	lsm.exe
Token: SeDebugPrivilege	2256	lsm.exe
Token: SeDebugPrivilege	1252	lsm.exe
Token: SeDebugPrivilege	2684	lsm.exe
Token: SeDebugPrivilege	1608	lsm.exe
Token: SeDebugPrivilege	2796	lsm.exe
Token: SeDebugPrivilege	2716	lsm.exe
Token: SeDebugPrivilege	1252	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 644	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 1964 wrote to memory of 644	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 1964 wrote to memory of 644	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	40
PID 1964 wrote to memory of 1108	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 1964 wrote to memory of 1108	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 1964 wrote to memory of 1108	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	41
PID 1964 wrote to memory of 696	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 1964 wrote to memory of 696	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 1964 wrote to memory of 696	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	42
PID 1964 wrote to memory of 844	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	44
PID 1964 wrote to memory of 844	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	44
PID 1964 wrote to memory of 844	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	44
PID 1964 wrote to memory of 1872	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	45
PID 1964 wrote to memory of 1872	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	45
PID 1964 wrote to memory of 1872	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	45
PID 1964 wrote to memory of 2180	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	47
PID 1964 wrote to memory of 2180	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	47
PID 1964 wrote to memory of 2180	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	47
PID 1964 wrote to memory of 2208	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	48
PID 1964 wrote to memory of 2208	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	48
PID 1964 wrote to memory of 2208	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	48
PID 1964 wrote to memory of 2148	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	49
PID 1964 wrote to memory of 2148	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	49
PID 1964 wrote to memory of 2148	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	49
PID 1964 wrote to memory of 2476	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 1964 wrote to memory of 2476	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 1964 wrote to memory of 2476	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	52
PID 1964 wrote to memory of 2288	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	53
PID 1964 wrote to memory of 2288	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	53
PID 1964 wrote to memory of 2288	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	53
PID 1964 wrote to memory of 1780	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 1964 wrote to memory of 1780	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 1964 wrote to memory of 1780	1964	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	60
PID 2812 wrote to memory of 2488	2812	WScript.exe	63
PID 2812 wrote to memory of 2488	2812	WScript.exe	63
PID 2812 wrote to memory of 2488	2812	WScript.exe	63
PID 2488 wrote to memory of 2008	2488	lsm.exe	64
PID 2488 wrote to memory of 2008	2488	lsm.exe	64
PID 2488 wrote to memory of 2008	2488	lsm.exe	64
PID 2488 wrote to memory of 2412	2488	lsm.exe	65
PID 2488 wrote to memory of 2412	2488	lsm.exe	65
PID 2488 wrote to memory of 2412	2488	lsm.exe	65
PID 2008 wrote to memory of 2480	2008	WScript.exe	66
PID 2008 wrote to memory of 2480	2008	WScript.exe	66
PID 2008 wrote to memory of 2480	2008	WScript.exe	66
PID 2480 wrote to memory of 2112	2480	lsm.exe	67
PID 2480 wrote to memory of 2112	2480	lsm.exe	67
PID 2480 wrote to memory of 2112	2480	lsm.exe	67
PID 2480 wrote to memory of 896	2480	lsm.exe	68
PID 2480 wrote to memory of 896	2480	lsm.exe	68
PID 2480 wrote to memory of 896	2480	lsm.exe	68
PID 2112 wrote to memory of 2640	2112	WScript.exe	69
PID 2112 wrote to memory of 2640	2112	WScript.exe	69
PID 2112 wrote to memory of 2640	2112	WScript.exe	69
PID 2640 wrote to memory of 1544	2640	lsm.exe	70
PID 2640 wrote to memory of 1544	2640	lsm.exe	70
PID 2640 wrote to memory of 1544	2640	lsm.exe	70
PID 2640 wrote to memory of 2092	2640	lsm.exe	71
PID 2640 wrote to memory of 2092	2640	lsm.exe	71
PID 2640 wrote to memory of 2092	2640	lsm.exe	71
PID 1544 wrote to memory of 712	1544	WScript.exe	72
PID 1544 wrote to memory of 712	1544	WScript.exe	72
PID 1544 wrote to memory of 712	1544	WScript.exe	72
PID 712 wrote to memory of 660	712	lsm.exe	73

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
"C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\w32topl\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc120jpn\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons0026\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\kbdnecnt\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pcwutl\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\kbdnecnt\lsm.exe
  "C:\Windows\System32\kbdnecnt\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System policy modification
  PID:1780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b1cd1b5-9c7c-46d0-b620-c5e37a417dc5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\System32\kbdnecnt\lsm.exe
      C:\Windows\System32\kbdnecnt\lsm.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c2738e-8c0f-474f-a82c-b533ea4e8a0a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c86294e2-e981-4889-965b-ceccd166cd5e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e178cb63-03ee-49a1-a411-b90cfc0edde2.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f148cfef-c13f-4e11-adf5-d7ad63437e9f.vbs"
        11⤵
        
        PID:660
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a558c3a-810a-4ca9-a077-a718cbf1527e.vbs"
        13⤵
        
        PID:2860
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17198334-d0cd-44c0-b933-2b4926cdd305.vbs"
        15⤵
        
        PID:1280
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf8f524-aa20-4066-afc8-4c7dc8f50cd5.vbs"
        17⤵
        
        PID:2724
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8b9247c-4f3a-44f9-8deb-82bb04f3d41f.vbs"
        19⤵
        
        PID:3056
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090d0b2b-ac05-44c7-aeff-4fda91ecf291.vbs"
        21⤵
        
        PID:1652
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5f4269-213e-41e3-9320-3f7f28ea4106.vbs"
        23⤵
        
        PID:2328
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688eb1c7-e48f-41fe-a32b-b4cc5552b550.vbs"
        25⤵
        
        PID:696
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        
        C:\Windows\System32\kbdnecnt\lsm.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01d753a-dc4f-4ee2-8e75-94b21d0338d9.vbs"
        27⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8230a80e-da9e-4897-916c-6dcd730ac828.vbs"
        27⤵
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff586e6e-4703-467b-9f3f-dafe201b4e0a.vbs"
        25⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b46bb9d1-8b83-4656-897e-f8801e3f607d.vbs"
        23⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01104a2-8bd0-4f5e-b57c-db7af861b5a4.vbs"
        21⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34a86d88-e01f-494a-b162-90d1fda96f6d.vbs"
        19⤵
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856abf5e-7d27-4799-be0b-9af68506f6f2.vbs"
        17⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b50df5-70af-4070-a5cc-f4a60a1004d3.vbs"
        15⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6315622-e6e7-4864-99f3-ab82b3a7ef38.vbs"
        13⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afd165fb-bcad-43f5-a2d7-02b87aef169d.vbs"
        11⤵
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7588539a-6aec-434b-99a4-5f5bda314a55.vbs"
        9⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c457a6-4cd7-4372-8bbe-658a6be6966e.vbs"
        7⤵
        
        PID:896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c74ac2-1e28-4833-b922-dd5ca794fe60.vbs"
        5⤵
        
        PID:2412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89634baf-f802-44df-af4e-36a6244c6456.vbs"
    3⤵
    PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\w32topl\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\mfc120jpn\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0026\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\kbdnecnt\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\pcwutl\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\090d0b2b-ac05-44c7-aeff-4fda91ecf291.vbs

Filesize
712B

MD5
aebaa8883fe6c93bdce7e436162aae1d

SHA1
5fda4fbdae76daafa9be3fda47f2b09185f66be1

SHA256
e33e4d04ace34963c4ee25f8e78ccc7a6b1c871bfb20fe134da966ac64fcb4dc

SHA512
108872b50e068d5755b0e16584a00e9024a5ba07045d0710533bcbd3f7e7080a3ff6c5e5ecce8f623caeae20f56636fe8000a23ae1a878406946bffc6e38807e

Download Submit
C:\Users\Admin\AppData\Local\Temp\17198334-d0cd-44c0-b933-2b4926cdd305.vbs

Filesize
712B

MD5
612b8270fc19909e9fcaeebed25315ad

SHA1
e3ad5439391bada441dc0a384a8eea1e13386431

SHA256
8752491e1aa4be767238d8145b6f4a96956eb949c7858f056586ecef8da7c8d7

SHA512
6986a91d76e6c88b650161d457e125abcd96562431763ca532f61e7b20428790e712758310f9e32fdb3dafdd4f30329a910b0223d349cb44010cbad25ea5e699

Download Submit
C:\Users\Admin\AppData\Local\Temp\48c74ac2-1e28-4833-b922-dd5ca794fe60.vbs

Filesize
488B

MD5
f1176e1f97171ac11ba43a008d886725

SHA1
1c7b9145e9222099962463dac2400cbc896ad60d

SHA256
8ac21be4baa1926019d6c2d981673fa9122f64a2ff13f1ae33efb6a9a6294c09

SHA512
124dfee94bda3890ee1721436e3001646559cdc840c9d3f467993b052cf97b357dfec1293f7ffeadf2e16a49674b3efa33726f298025ebbfa764f3dcb39cdf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a558c3a-810a-4ca9-a077-a718cbf1527e.vbs

Filesize
712B

MD5
c086fa9326a333a7c2defc7568696bd8

SHA1
05c8b20fec2ec372607114b79fcfcf9282fd6647

SHA256
e5c11092fb7e62e130b18ae836bbebeb686f1405c2fb77924ae6543502845159

SHA512
1a571a8190b2d203b8ebc44ee62a7cddd6f1c3d09575486e4641365715c279d7f7ca5a20040eb0f4eaae6050862416dc8abd767c4af3ca3004686881e2fe368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\688eb1c7-e48f-41fe-a32b-b4cc5552b550.vbs

Filesize
712B

MD5
8c0c9444aec38f9806b416ef48b3a5a3

SHA1
95ede81c2c61028c6998bf92d6b993cab4ac0bbc

SHA256
c695b83325e9a2fae1f5a4b94db8879a1fc9f5f49b357bc55275afa887486bb0

SHA512
55cbd558ef7ccf29e8b2b60acb0aecc22ab4062b968fb3862f9edadda88c506ba57a82dc49f0bff1915d9b4f3d602df1731cc887f11e7d94e7db5b03cf1cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c86294e2-e981-4889-965b-ceccd166cd5e.vbs

Filesize
712B

MD5
7b5cd4d02a6580f6031ec50538fe2a50

SHA1
a051fa1bd9693368ddfc589e1ec83ccdce5470d9

SHA256
f984fca1d33372e6ae3ae29151fd8901550ca92fc1c339e3b64aeb535bd228f7

SHA512
956d0026559eff7c9befd3d032adfe8ef998023fa0e8078f3e64aeaf407151d505c12b8e51d86edae2b5e575592885b9c51583044873c7472571dd5bde372b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbf8f524-aa20-4066-afc8-4c7dc8f50cd5.vbs

Filesize
712B

MD5
9a1633f05bca38b50e90fc0c01969378

SHA1
3bdfe913c71c6ec5b1ef02cc5321eea66b186537

SHA256
2670ddb80094d4068f4f5893e4806896e9e3df846511e3a05335d816b5289009

SHA512
5dbb3e13bc116dd0143ec061b8edf2449596401b88abdc552dc4543cc91153e1d4fd7a146915b9784ca865022c350e0483ff9fb6ef9d873a29b27fad02ddafb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\de5f4269-213e-41e3-9320-3f7f28ea4106.vbs

Filesize
712B

MD5
1209995b3cb622f5be4691acfa9ab8db

SHA1
35917b9cd4e6cbfe72b1e0b9233f669a4cb9cf28

SHA256
75311b6e7b34195ea039d9dcafe697f6a52ddf05b593749326c4863a5c0c26a2

SHA512
abae83fa75087cdd1c9b09b185c61cd511d504654b1ec7706d7aedc24ba66c15d4fa802bcac5a4e38ade198f3d30b11ffd8d0f454135b733c20cbec3f61fea75

Download Submit
C:\Users\Admin\AppData\Local\Temp\e178cb63-03ee-49a1-a411-b90cfc0edde2.vbs

Filesize
712B

MD5
7a9f42c999999939db9aef410ea01974

SHA1
9b34bf96601ba78cc7b36adc7479b2577252158d

SHA256
ee6cacb366ac1e2a91162014267ddb17d7a1ba4f402e78164131c2c169e563a2

SHA512
20af5cf4b8474e241d77524d1adff865837749f4d1cfbc88d8a768a3345ecf383ccb3b5c368fa2a1faaedc3ef16efc9d7bf206f3d6c41e628d058aeb62fcd041

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0c2738e-8c0f-474f-a82c-b533ea4e8a0a.vbs

Filesize
712B

MD5
7afc002b8c7f4c9c3c8f2f64fd5e6edb

SHA1
2efbf67951f6c8520298f121b5f389c0fc639455

SHA256
b3ffc9f49e7098131d9beb21cd6e147a9d6f86a95ad1785331f8b672de31b4d6

SHA512
9de9849c319100dc7289615c52a41a0f1e5eddc3cbca888a8eaf9cc3ed77f57bf600c667dbf5badacc84f01fb9760507af9f8ade5640d625be2e4db705423dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f148cfef-c13f-4e11-adf5-d7ad63437e9f.vbs

Filesize
711B

MD5
3102840ab7017bccb0b3203cd6400b0a

SHA1
595bdb9ae9269f089f2715613aa62d3849e422e4

SHA256
7a7834f469dc700ca0f8706f5df744dae38228fbd9b7a23b35f368abd683ebb8

SHA512
99f4454c9574334c304108a97212c25f120e9bed928313464113429bec38660441ab1992d987a58a8ab2baafa9776edfd81d0b4dce5117989a391ba8020bf6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8b9247c-4f3a-44f9-8deb-82bb04f3d41f.vbs

Filesize
712B

MD5
2f288e24e7d501360ca5dd57fd6a76a9

SHA1
2ee3111b900be2e14b04bf0c2498a6086b02d386

SHA256
f7e341297ff47cabfd27b8ac6166fe481aa7ad80ee54aa2675855f74da80dcd8

SHA512
55492c132b3bbfb85ddb624cf8816478f54d13ff5c5dcc5b41202ac5848fa6940e968938fd9c1893d4ca85e9bf477f4a6cb630422995f7a82072f0b727a9afc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
42e277da8d97d172907473648231b3f2

SHA1
240180fff3fcaa057b7f4b1dd76d51265fdac334

SHA256
269f845d92d326f8e85fd2c0624d05c00cdd9f6c1d9bce721e8d1d4efa4c0291

SHA512
ec0e18e8bae5c813fd5d519d3d53b7cd913c0d496159a58236ebda89df0a3af87c6afa7a6c64f6e77736c533c4b66c6bbe1e79d9198f5e5900f6a0e62cf4f768

Download Submit
C:\Windows\System32\kbdnecnt\lsm.exe

Filesize
1.5MB

MD5
a5fab16bfd5f2f5b2beef03fc634c78b

SHA1
e2876e25315d4109734bd0ffa2e3d50db7550f5e

SHA256
26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

SHA512
a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894

Download Submit
memory/696-115-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/696-113-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/712-201-0x00000000012F0000-0x000000000146E000-memory.dmp

Filesize
1.5MB

Download
memory/1252-294-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1252-293-0x0000000000880000-0x00000000009FE000-memory.dmp

Filesize
1.5MB

Download
memory/1608-258-0x00000000013D0000-0x000000000154E000-memory.dmp

Filesize
1.5MB

Download
memory/1964-5-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1964-4-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1964-16-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1964-15-0x00000000020B0000-0x00000000020BA000-memory.dmp

Filesize
40KB

Download
memory/1964-14-0x00000000020A0000-0x00000000020AC000-memory.dmp

Filesize
48KB

Download
memory/1964-13-0x0000000002090000-0x000000000209A000-memory.dmp

Filesize
40KB

Download
memory/1964-164-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-18-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/1964-12-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/1964-11-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1964-10-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1964-20-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/1964-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1964-0-0x000007FEF4E33000-0x000007FEF4E34000-memory.dmp

Filesize
4KB

Download
memory/1964-8-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1964-7-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1964-1-0x00000000001A0000-0x000000000031E000-memory.dmp

Filesize
1.5MB

Download
memory/1964-6-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1964-17-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/1964-24-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-21-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/1964-3-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1964-2-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-224-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2488-167-0x0000000000CD0000-0x0000000000E4E000-memory.dmp

Filesize
1.5MB

Download
memory/2640-189-0x0000000000060000-0x00000000001DE000-memory.dmp

Filesize
1.5MB

Download
memory/2716-281-0x00000000002B0000-0x000000000042E000-memory.dmp

Filesize
1.5MB

Download