dcrat | 09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\", \"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\Idle.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\", \"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\", \"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\Idle.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\", \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Users\\Default\\Cookies\\lsm.exe\", \"C:\\Windows\\TAPI\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\", \"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\Idle.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2104	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000E50000-0x0000000001428000-memory.dmp	dcrat
behavioral1/memory/2376-58-0x0000000000E50000-0x0000000001428000-memory.dmp	dcrat
behavioral1/memory/1032-61-0x0000000000BB0000-0x0000000001188000-memory.dmp	dcrat
behavioral1/memory/1032-62-0x0000000000BB0000-0x0000000001188000-memory.dmp	dcrat
behavioral1/memory/1032-65-0x0000000000BB0000-0x0000000001188000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

wininit.exe

pid process

1032 wininit.exe

pid	process
1032	wininit.exe

Loads dropped DLL 2 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

pid	process
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Recent\\services.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Recent\\services.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\TAPI\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\TAPI\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694 = "\"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Cookies\\lsm.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\csrss.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\Idle.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\wininit.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\audiodg.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Cookies\\lsm.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\taskhost.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694 = "\"C:\\Program Files\\Java\\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\Idle.exe\""	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

pid	process
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe

Drops file in Program Files directory 12 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\42af1c969fbb7b	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files\Java\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files\Java\c7f6cf69fdaa1e	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\6ccacd8608530f	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\56085415360792	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files\Google\Chrome\Application\audiodg.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\audiodg.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File opened for modification	C:\Program Files\Java\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Drops file in Windows directory 3 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

description	ioc	process
File created	C:\Windows\TAPI\wininit.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File created	C:\Windows\TAPI\56085415360792	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
File opened for modification	C:\Windows\TAPI\wininit.exe	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2700	schtasks.exe
2872	schtasks.exe
2880	schtasks.exe
2772	schtasks.exe
292	schtasks.exe
1948	schtasks.exe
1636	schtasks.exe
1892	schtasks.exe
2660	schtasks.exe
3000	schtasks.exe
1852	schtasks.exe
2312	schtasks.exe
2668	schtasks.exe
2844	schtasks.exe
1048	schtasks.exe
1716	schtasks.exe
2752	schtasks.exe
2036	schtasks.exe
568	schtasks.exe
2612	schtasks.exe
2600	schtasks.exe
1740	schtasks.exe
3036	schtasks.exe
2896	schtasks.exe
2988	schtasks.exe
1736	schtasks.exe
1052	schtasks.exe
1652	schtasks.exe
2672	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

pid	process
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe
1032	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Token: SeDebugPrivilege	1032	wininit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

pid process

2376 09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
1032 wininit.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe

description	pid	process	target process
PID 2376 wrote to memory of 1032	2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	wininit.exe
PID 2376 wrote to memory of 1032	2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	wininit.exe
PID 2376 wrote to memory of 1032	2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	wininit.exe
PID 2376 wrote to memory of 1032	2376	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe	wininit.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

Processes:

09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe
"C:\Users\Admin\AppData\Local\Temp\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2376

C:\Windows\TAPI\wininit.exe
"C:\Windows\TAPI\wininit.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Recent\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c6940" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694" /sc ONLOGON /tr "'C:\Program Files\Java\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c6940" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\09c0c134cbc01a50cc2f9c05504480cb2e1f1a0139d3372e6fe0a22aeff4c694.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

2

T1082

System Location Discovery

T1614

System Language Discovery