dcrat | aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\lsm.exe\", \"C:\\Windows\\Branding\\Basebrd\\de-DE\\audiodg.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\lsm.exe\", \"C:\\Windows\\Branding\\Basebrd\\de-DE\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\", \"C:\\Windows\\security\\audit\\smss.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\System.exe\", \"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\lsm.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2956	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2956	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Idle.exeaa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2272-2-0x0000000000A00000-0x0000000000FD8000-memory.dmp	dcrat
behavioral1/memory/2272-54-0x0000000000A00000-0x0000000000FD8000-memory.dmp	dcrat
behavioral1/memory/1908-63-0x0000000000D20000-0x00000000012F8000-memory.dmp	dcrat
behavioral1/memory/1908-65-0x0000000000D20000-0x00000000012F8000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

1908 Idle.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

856 cmd.exe
856 cmd.exe

pid	process
1908	Idle.exe

pid	process
856	cmd.exe
856	cmd.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\lsm.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\b2a802a2-3b12-11ef-8991-d2f1755c8afd\\OSPPSVC.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\lsm.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Branding\\Basebrd\\de-DE\\audiodg.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Mail\\System.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Mail\\System.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\security\\audit\\smss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\security\\audit\\smss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\csrss.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Branding\\Basebrd\\de-DE\\audiodg.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\MSBuild\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\taskhost.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\Idle.exe\""	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exeIdle.exe

pid	process
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
1908	Idle.exe
1908	Idle.exe

Drops file in Program Files directory 15 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\Idle.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\MSBuild\taskhost.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Program Files (x86)\MSBuild\taskhost.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files\VideoLAN\VLC\lua\Idle.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\System.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\Windows Mail\27d1bcfc3c54e0	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files\VideoLAN\VLC\lua\6ccacd8608530f	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\MSBuild\b75386f1303e64	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\886983d96e3d3e	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\taskhost.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\Windows Mail\System.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\taskhost.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\b75386f1303e64	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

Drops file in Windows directory 6 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
File created	C:\Windows\security\audit\69ddcba757bf72	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Windows\Branding\Basebrd\de-DE\audiodg.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Windows\Branding\Basebrd\de-DE\42af1c969fbb7b	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Windows\security\audit\smss.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\audiodg.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
File created	C:\Windows\security\audit\smss.exe	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.execmd.exew32tm.exeIdle.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3064	schtasks.exe
1884	schtasks.exe
2228	schtasks.exe
752	schtasks.exe
2636	schtasks.exe
2756	schtasks.exe
1944	schtasks.exe
2256	schtasks.exe
2932	schtasks.exe
2940	schtasks.exe
2648	schtasks.exe
2972	schtasks.exe
1840	schtasks.exe
604	schtasks.exe
1184	schtasks.exe
2372	schtasks.exe
2752	schtasks.exe
2592	schtasks.exe
2964	schtasks.exe
268	schtasks.exe
608	schtasks.exe
1960	schtasks.exe
2700	schtasks.exe
2560	schtasks.exe
2680	schtasks.exe
2876	schtasks.exe
448	schtasks.exe
1604	schtasks.exe
664	schtasks.exe
2008	schtasks.exe
2024	schtasks.exe
3000	schtasks.exe
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exeIdle.exe

pid	process
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe
1908	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Token: SeDebugPrivilege	1908	Idle.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exeIdle.exe

pid process

2272 aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
1908 Idle.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.execmd.exew32tm.exe

description	pid	process	target process
PID 2272 wrote to memory of 856	2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe	cmd.exe
PID 2272 wrote to memory of 856	2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe	cmd.exe
PID 2272 wrote to memory of 856	2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe	cmd.exe
PID 2272 wrote to memory of 856	2272	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe	cmd.exe
PID 856 wrote to memory of 3024	856	cmd.exe	w32tm.exe
PID 856 wrote to memory of 3024	856	cmd.exe	w32tm.exe
PID 856 wrote to memory of 3024	856	cmd.exe	w32tm.exe
PID 856 wrote to memory of 3024	856	cmd.exe	w32tm.exe
PID 3024 wrote to memory of 1196	3024	w32tm.exe	w32tm.exe
PID 3024 wrote to memory of 1196	3024	w32tm.exe	w32tm.exe
PID 3024 wrote to memory of 1196	3024	w32tm.exe	w32tm.exe
PID 3024 wrote to memory of 1196	3024	w32tm.exe	w32tm.exe
PID 856 wrote to memory of 1908	856	cmd.exe	Idle.exe
PID 856 wrote to memory of 1908	856	cmd.exe	Idle.exe
PID 856 wrote to memory of 1908	856	cmd.exe	Idle.exe
PID 856 wrote to memory of 1908	856	cmd.exe	Idle.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

Processes:

Idle.exeaa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe
"C:\Users\Admin\AppData\Local\Temp\aa2fa7c979e868047cf947370ae3f511068276c3c0eb1541301b9f6a3fa7abba.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyA6Uc1OxI.bat"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1196

C:\Program Files\VideoLAN\VLC\lua\Idle.exe
"C:\Program Files\VideoLAN\VLC\lua\Idle.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\security\audit\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\security\audit\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\security\audit\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\de-DE\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

2

T1082

System Location Discovery

T1614

System Language Discovery