Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 03:15
Static task
static1
Behavioral task
behavioral1
Sample
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe
Resource
win7-20240903-en
General
-
Target
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe
-
Size
4.9MB
-
MD5
0ebad9b503420a52d8624a119e9b0390
-
SHA1
1f7ac06f73e31f55a13177d4d6e0992e9086c87a
-
SHA256
c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d
-
SHA512
ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2424 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2424 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe -
resource yara_rule behavioral1/memory/2076-2-0x000000001B910000-0x000000001BA3E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2252 powershell.exe 2556 powershell.exe 332 powershell.exe 356 powershell.exe 2084 powershell.exe 276 powershell.exe 760 powershell.exe 1064 powershell.exe 448 powershell.exe 616 powershell.exe 572 powershell.exe 824 powershell.exe -
Executes dropped EXE 8 IoCs
pid Process 2328 lsm.exe 2552 lsm.exe 616 lsm.exe 1712 lsm.exe 1744 lsm.exe 1848 lsm.exe 1784 lsm.exe 600 lsm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsm.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files (x86)\Windows Mail\en-US\df60a47c76e842 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\VideoLAN\VLC\taskhost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\VideoLAN\VLC\RCX92C5.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\VideoLAN\VLC\taskhost.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\1610b97d3ab4a7 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File created C:\Program Files\VideoLAN\VLC\b75386f1303e64 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCX8769.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\RCX8C4B.tmp c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2660 schtasks.exe 1908 schtasks.exe 1484 schtasks.exe 2616 schtasks.exe 2804 schtasks.exe 2632 schtasks.exe 1860 schtasks.exe 2600 schtasks.exe 2328 schtasks.exe 2792 schtasks.exe 2836 schtasks.exe 2144 schtasks.exe 3020 schtasks.exe 2000 schtasks.exe 2068 schtasks.exe 2928 schtasks.exe 2932 schtasks.exe 1700 schtasks.exe 3036 schtasks.exe 2736 schtasks.exe 1796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 2084 powershell.exe 760 powershell.exe 616 powershell.exe 2252 powershell.exe 448 powershell.exe 1064 powershell.exe 572 powershell.exe 2556 powershell.exe 332 powershell.exe 276 powershell.exe 824 powershell.exe 356 powershell.exe 2328 lsm.exe 2552 lsm.exe 616 lsm.exe 1712 lsm.exe 1744 lsm.exe 1848 lsm.exe 1784 lsm.exe 600 lsm.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 332 powershell.exe Token: SeDebugPrivilege 276 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 356 powershell.exe Token: SeDebugPrivilege 2328 lsm.exe Token: SeDebugPrivilege 2552 lsm.exe Token: SeDebugPrivilege 616 lsm.exe Token: SeDebugPrivilege 1712 lsm.exe Token: SeDebugPrivilege 1744 lsm.exe Token: SeDebugPrivilege 1848 lsm.exe Token: SeDebugPrivilege 1784 lsm.exe Token: SeDebugPrivilege 600 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2084 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 52 PID 2076 wrote to memory of 2084 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 52 PID 2076 wrote to memory of 2084 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 52 PID 2076 wrote to memory of 824 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 53 PID 2076 wrote to memory of 824 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 53 PID 2076 wrote to memory of 824 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 53 PID 2076 wrote to memory of 356 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 54 PID 2076 wrote to memory of 356 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 54 PID 2076 wrote to memory of 356 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 54 PID 2076 wrote to memory of 332 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 56 PID 2076 wrote to memory of 332 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 56 PID 2076 wrote to memory of 332 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 56 PID 2076 wrote to memory of 2556 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 57 PID 2076 wrote to memory of 2556 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 57 PID 2076 wrote to memory of 2556 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 57 PID 2076 wrote to memory of 2252 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 59 PID 2076 wrote to memory of 2252 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 59 PID 2076 wrote to memory of 2252 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 59 PID 2076 wrote to memory of 572 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 61 PID 2076 wrote to memory of 572 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 61 PID 2076 wrote to memory of 572 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 61 PID 2076 wrote to memory of 1064 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 62 PID 2076 wrote to memory of 1064 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 62 PID 2076 wrote to memory of 1064 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 62 PID 2076 wrote to memory of 760 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 63 PID 2076 wrote to memory of 760 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 63 PID 2076 wrote to memory of 760 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 63 PID 2076 wrote to memory of 616 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 64 PID 2076 wrote to memory of 616 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 64 PID 2076 wrote to memory of 616 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 64 PID 2076 wrote to memory of 276 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 65 PID 2076 wrote to memory of 276 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 65 PID 2076 wrote to memory of 276 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 65 PID 2076 wrote to memory of 448 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 66 PID 2076 wrote to memory of 448 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 66 PID 2076 wrote to memory of 448 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 66 PID 2076 wrote to memory of 1740 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 76 PID 2076 wrote to memory of 1740 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 76 PID 2076 wrote to memory of 1740 2076 c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe 76 PID 1740 wrote to memory of 2092 1740 cmd.exe 78 PID 1740 wrote to memory of 2092 1740 cmd.exe 78 PID 1740 wrote to memory of 2092 1740 cmd.exe 78 PID 1740 wrote to memory of 2328 1740 cmd.exe 79 PID 1740 wrote to memory of 2328 1740 cmd.exe 79 PID 1740 wrote to memory of 2328 1740 cmd.exe 79 PID 2328 wrote to memory of 1896 2328 lsm.exe 80 PID 2328 wrote to memory of 1896 2328 lsm.exe 80 PID 2328 wrote to memory of 1896 2328 lsm.exe 80 PID 2328 wrote to memory of 2012 2328 lsm.exe 81 PID 2328 wrote to memory of 2012 2328 lsm.exe 81 PID 2328 wrote to memory of 2012 2328 lsm.exe 81 PID 1896 wrote to memory of 2552 1896 WScript.exe 83 PID 1896 wrote to memory of 2552 1896 WScript.exe 83 PID 1896 wrote to memory of 2552 1896 WScript.exe 83 PID 2552 wrote to memory of 1804 2552 lsm.exe 84 PID 2552 wrote to memory of 1804 2552 lsm.exe 84 PID 2552 wrote to memory of 1804 2552 lsm.exe 84 PID 2552 wrote to memory of 2796 2552 lsm.exe 85 PID 2552 wrote to memory of 2796 2552 lsm.exe 85 PID 2552 wrote to memory of 2796 2552 lsm.exe 85 PID 1804 wrote to memory of 616 1804 WScript.exe 86 PID 1804 wrote to memory of 616 1804 WScript.exe 86 PID 1804 wrote to memory of 616 1804 WScript.exe 86 PID 616 wrote to memory of 2052 616 lsm.exe 87 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe"C:\Users\Admin\AppData\Local\Temp\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d0cSnkaL9P.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2092
-
-
C:\Users\Admin\AppData\lsm.exe"C:\Users\Admin\AppData\lsm.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd314fa-e8d5-4afa-9ede-191df6fdcf09.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d682307a-1b24-4170-b448-e2b5498e5666.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbc88dea-0fea-499a-93c8-3dc16d3ad5b3.vbs"8⤵PID:2052
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e19baf-127c-4e07-a076-c1534dfc3e03.vbs"10⤵PID:2588
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252b82f0-3c91-4284-8bdc-f7390fb709be.vbs"12⤵PID:1432
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fce2b944-67ac-47bd-b48d-f093860c096c.vbs"14⤵PID:1268
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fce7411-754a-4611-8402-fe33b419e5ac.vbs"16⤵PID:988
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca45089f-48ee-4045-82f6-004d39f50973.vbs"18⤵PID:1632
-
C:\Users\Admin\AppData\lsm.exeC:\Users\Admin\AppData\lsm.exe19⤵PID:2300
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867d64b2-ace0-4de8-ab41-b97e520b76f9.vbs"18⤵PID:1756
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\312c7d37-c1a5-4f66-a2be-2ddbeb578714.vbs"16⤵PID:1408
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89bbf95-aac5-4cf5-b833-9300a4359859.vbs"14⤵PID:2476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\573fe1c5-b9cd-428d-9a8b-5982af627f2e.vbs"12⤵PID:2688
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f2834b-eee2-4e7d-9898-779e3b199b68.vbs"10⤵PID:1068
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601a7f10-b8a1-4fdd-aa8b-e53e9dcb8440.vbs"8⤵PID:2816
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ae61de-3c7e-412d-a584-ea6d5a6b23b2.vbs"6⤵PID:2796
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc47e8b9-b381-4106-9f7e-2731e0e8355d.vbs"4⤵PID:2012
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dNc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dNc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246dN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD50ebad9b503420a52d8624a119e9b0390
SHA11f7ac06f73e31f55a13177d4d6e0992e9086c87a
SHA256c1af137ff49b23b6df9a159172c66f750181e1d466db4d0de92f40cea35a246d
SHA512ad34304a6bcbfac284bdb43f73eaedab24851709de14a465494a78fc6d427ca547a2dc957f1ba553cd91126b7d5fde0c445089fe90fa934e4ce78168e709fa40
-
Filesize
4.9MB
MD554878a3d7bfd2137a80356eecf97a0b7
SHA16ba0fface64e0d2dbe338a9bd2ba9ad3edebbcf9
SHA2568f9794b29859c41dda6abf871abdc308fbe34e5492070a1ab9cd6e1ab0feadf1
SHA512b4e494e28998d233059b4992ac81bc34be7f1b5a7b9bd79ff989faa29782f5f9ebe9cf1e9ca12cd694890b305b13c88ae13dbbe3da36cb5cbbd1b6ec67e1954d
-
Filesize
706B
MD594f24c4f76e574cb76aa546ffcd3d9b7
SHA1fc5d2c70a76230fea20a00878fdace30ee3b59bf
SHA256aab888c316ebcc1afad58409b849651c56690669759ffdab9267db22dc587dca
SHA5129d6e16269437bbc419da67e1200152aa9a69697cf1f64b32c0a85744cc12f4c7217bc0c4a45b929b81349af630bb82be48fa2cafc9cccb06c40f30b2924746af
-
Filesize
4.9MB
MD52bdf88f95eefab58442e317326670113
SHA12450f81b62f48cdcbfe58f811572828bfed3eb2a
SHA256a9d1412122518f5f5d592e9814592420d400674cee43fd487d8dc6cb5ef2f208
SHA51252ba1e85a362fa19c987c8d76810cd01627808473259a25aa1f4f5ed70c3b75acff6ed5950ec4cf7b8056ab8528518be5eff5f3c974fb8696bddd3f9a00ad71d
-
Filesize
706B
MD5fcf4617094e46f29e9de498b931fe0b3
SHA12113a2b64572c74ae0e825e3cccdf4c529b04bde
SHA2560a3e5b5633e3effb64d0aa300e5473d3791a975f01590e29d535b42334a91fe8
SHA512d02fe77f1d9492a5571bc9b399068ce32e88492d55ed4d0515a7eb3c88ba425f71e56195121c5e2d7d72880f32f3138e94ad9121d68a47cf5d05655928ca396e
-
Filesize
706B
MD56451a36b580f6aa6eec166de2bec6a12
SHA1ab3abe3db434c87cf197ce97fb0ad0f30a5daebb
SHA256db9db0139c43e085326bce3e5c158fbcb6a1c74e4beed2c1ab8f80b632b43ceb
SHA512789bc5036e94f7c49d86d7e507f1188d0bfdc49099c02b73a3cf29973bedb0a256eda44d809ab24c8cda0cbe9282d21838ac6d7a8cf00debbe4e154bf9027342
-
Filesize
706B
MD5a8e233c30faa1ef86edf5c91ff1ea495
SHA1dc552eb7554f52dfbc419f969a9fe641b4abb4cd
SHA25605a823d082ef23fdc6dd44f3b60647a3691230e6df1e006ca5d86129456de0a5
SHA512d2c4bf5a5d5edaa3850d3530c296cd347bbf87eead94056404ac2c994835a2b7257ea4324ac0bbfcf59e61a578e354873ee28e15d39c289b1ca742c920d6a7ad
-
Filesize
705B
MD567b61432551e444adaab8ffd50b0549a
SHA11217ffb412dcd15b4aa182beace3546f806905bc
SHA2563ecaf05345ce6ea2747044835d1587038c4af0d4a771c32911bc3fa1ef20bbdb
SHA512db58bac1f91ff180d5235d05508cc1b9f62dd03c9ddf5114a368406621ed3a28be3201f5bec81d99fa2e567cb29588128a8142256b569895c52b4a2297e02f85
-
Filesize
705B
MD5bb39e8fb209a4ee364fef3befafaea65
SHA1989c4076f9000155ee2c3e9fe9b3e6fe64547113
SHA25616865887df22eee9baaeb095c213085334e30ce2ab3bc82d14102c5ba224f705
SHA51209833855f6cc7faac0c30c2d25f7e9bccde57b8d69ed831777ecb0d021bc245af5af09132b6a63dfccd01d3c51c25bbb1d3c489f604ef62918aa2a91bd56bfe3
-
Filesize
195B
MD52ee0b82af32c882b37016360ebea84f3
SHA1e937a85a407939aca29a262f10d50196405d722e
SHA256ec8211986cf144fbec742eff78883ec82ed6c56e72773c2a8356b813744c2fa1
SHA512e7a6425b3e6a61e4889ee4c699307f05cf558d3fb46def38cd051aabfc8316c14510e1891cb2a076b403fa5214e3ef17f3288c1c0ce3d560eeae3922128ae7cd
-
Filesize
706B
MD549ec24f45294dd7a46f08e9ef95bf5b4
SHA150f92070732cda90ff26eb95db0e329a5e1a250a
SHA2565995d80e9a9998f1f34ed3196898988b6b6c893b9c13badcf7b89789ff5e2907
SHA512cea0b778511461e909bb36f68bea1aaf4851b4690960057ccf379c26ddd538e7c73f35c4f26950c926a4c8ad00ffcbecd20e159211c4d259090e28e26683abd1
-
Filesize
482B
MD5bd1d5c0a1c1d467527debde66ee66954
SHA162aa846f877d789933cd92fa325ff77efbd7acec
SHA256c50aa21fb1577b16005f73a5037936608139ae5201f79124afcb128818690276
SHA5122257962196a9172ed9e3fbb98618b8089aa03d9ec1f29169a777b61aab3cd5fc18b09a934fde10da4f9bacd55890086aac45cb88b0bf9e80cf0e191f8cf9e4bd
-
Filesize
706B
MD53a7c9567bb18bb72e20bfbb8db547e23
SHA183f7ab8edeabb271543bec2891400a338a0a43bb
SHA256b8e0f03640c7fe2d40f10c333cafd52df247085d13b06c79072238162dae524f
SHA5124ef21d35f1e2e8a733147f99e54c68f408309f9f6e8921fa607f3d0f8d4c069328a5046f494505e3fc5061405dc1405eeddb82487026d96da976430bb3ba37f7
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5234bfeb70f069c629d4212162a7fb4fb
SHA15ebfb54c9371572bc83cbf21cc62dfaef434e5cf
SHA256324723e3fd6dcc6ad60be7afb7c6eee4f680bec1b60bad9cdc8eca259ad2c43a
SHA512bf0deb4188c002d97704403c7a0a682c2c95caaa1ca9db7c65d799683a935d7a42222d434d1392bedc20577dc1958fb5bfb05bead93feed1509f161fd0b1676c
-
Filesize
2.5MB
MD53aac6a60031244e9e7e2a345509d314f
SHA1817ba19993ca5ca24162f31c5032423e1e39610a
SHA2560d8bf4f14e5b12437e59d7c3d3973ea4b56abbabf380c8a3380eee5d41288c92
SHA51253107cdd0a375d67bf8283a5e62a7184bf4d57a43e701b4c6ba164a5fd69d2d9a2532c73b916f255aabbb54f4bc6055996e52c82eb85ba5f2c669b884113fc34