dcrat | 294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AgentDriversession.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00090000000120f8-3.dat	dcrat
behavioral1/files/0x000700000001927c-50.dat	dcrat
behavioral1/memory/3048-53-0x00000000010D0000-0x0000000001416000-memory.dmp	dcrat
behavioral1/memory/2368-113-0x0000000000B20000-0x0000000000E66000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
280	powershell.exe
848	powershell.exe
1428	powershell.exe
1284	powershell.exe
3060	powershell.exe
1268	powershell.exe
1636	powershell.exe
2684	powershell.exe
2988	powershell.exe
2920	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
572	attrib.exe
1688	attrib.exe

Executes dropped EXE 10 IoCs

pid	Process
2160	loader0.exe
1424	installer.exe
2784	WmZWbh4b.exe
2352	Umbral.exe
3048	AgentDriversession.exe
2368	cmd.exe
2924	CNUBWLN86RZHT2Q.exe
2464	WebReviewWinSvc.exe
212	$77svchost.exe
204	WebReviewWinSvc.exe

Loads dropped DLL 12 IoCs

pid	Process
2680	392fcfb7445ce64079d2de971877520e.exe
2680	392fcfb7445ce64079d2de971877520e.exe
1424	installer.exe
1424	installer.exe
1424	installer.exe
1424	installer.exe
1424	installer.exe
2648	cmd.exe
2648	cmd.exe
2496	cmd.exe
2496	cmd.exe
2952	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Exec\\$77svchost.exe\""	WmZWbh4b.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AgentDriversession.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	discord.com
17	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\taskhost.exe	AgentDriversession.exe
File created	C:\Program Files (x86)\Adobe\b75386f1303e64	AgentDriversession.exe
File created	C:\Program Files\Uninstall Information\audiodg.exe	AgentDriversession.exe
File created	C:\Program Files\Uninstall Information\42af1c969fbb7b	AgentDriversession.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\cmd.exe	WebReviewWinSvc.exe
File created	C:\Windows\es-ES\ebf1f9fa8afd6d	WebReviewWinSvc.exe
File created	C:\Windows\es-ES\smss.exe	AgentDriversession.exe
File created	C:\Windows\es-ES\69ddcba757bf72	AgentDriversession.exe
File created	C:\Windows\Media\Sonata\explorer.exe	WebReviewWinSvc.exe
File created	C:\Windows\Media\Sonata\7a0fd90576e088	WebReviewWinSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	392fcfb7445ce64079d2de971877520e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CNUBWLN86RZHT2Q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	cmd.exe
2328	PING.EXE

Delays execution with timeout.exe 1 IoCs

pid	Process
2400	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
900	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2328	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 50 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
284	schtasks.exe
2188	schtasks.exe
2852	schtasks.exe
1084	schtasks.exe
1264	schtasks.exe
1044	schtasks.exe
2296	schtasks.exe
1332	schtasks.exe
3068	schtasks.exe
2804	schtasks.exe
1724	schtasks.exe
2204	schtasks.exe
2684	schtasks.exe
1524	schtasks.exe
1536	schtasks.exe
348	schtasks.exe
1732	schtasks.exe
2912	schtasks.exe
548	schtasks.exe
2496	schtasks.exe
1596	schtasks.exe
2956	schtasks.exe
668	schtasks.exe
548	schtasks.exe
2812	schtasks.exe
2940	schtasks.exe
1984	schtasks.exe
2732	schtasks.exe
1628	schtasks.exe
2836	schtasks.exe
3036	schtasks.exe
3028	schtasks.exe
2628	schtasks.exe
2144	schtasks.exe
1388	schtasks.exe
1916	schtasks.exe
1680	schtasks.exe
2780	schtasks.exe
1716	schtasks.exe
1384	schtasks.exe
1820	schtasks.exe
2780	schtasks.exe
900	schtasks.exe
2764	schtasks.exe
2564	schtasks.exe
2072	schtasks.exe
1712	schtasks.exe
2448	schtasks.exe
1564	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	AgentDriversession.exe
3048	AgentDriversession.exe
3048	AgentDriversession.exe
3048	AgentDriversession.exe
3048	AgentDriversession.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2352	Umbral.exe
1440	powershell.exe
2368	cmd.exe
2368	cmd.exe
1636	powershell.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2684	powershell.exe
2368	cmd.exe
2368	cmd.exe
2640	powershell.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2784	WmZWbh4b.exe
2784	WmZWbh4b.exe
2784	WmZWbh4b.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2988	powershell.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe
2368	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	Umbral.exe
Token: SeDebugPrivilege	3048	AgentDriversession.exe
Token: SeDebugPrivilege	2368	cmd.exe
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2784	WmZWbh4b.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2160	2680	392fcfb7445ce64079d2de971877520e.exe	30
PID 2680 wrote to memory of 2160	2680	392fcfb7445ce64079d2de971877520e.exe	30
PID 2680 wrote to memory of 2160	2680	392fcfb7445ce64079d2de971877520e.exe	30
PID 2680 wrote to memory of 2160	2680	392fcfb7445ce64079d2de971877520e.exe	30
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 2680 wrote to memory of 1424	2680	392fcfb7445ce64079d2de971877520e.exe	31
PID 1424 wrote to memory of 2784	1424	installer.exe	32
PID 1424 wrote to memory of 2784	1424	installer.exe	32
PID 1424 wrote to memory of 2784	1424	installer.exe	32
PID 1424 wrote to memory of 2784	1424	installer.exe	32
PID 1424 wrote to memory of 2352	1424	installer.exe	33
PID 1424 wrote to memory of 2352	1424	installer.exe	33
PID 1424 wrote to memory of 2352	1424	installer.exe	33
PID 1424 wrote to memory of 2352	1424	installer.exe	33
PID 2160 wrote to memory of 2916	2160	loader0.exe	34
PID 2160 wrote to memory of 2916	2160	loader0.exe	34
PID 2160 wrote to memory of 2916	2160	loader0.exe	34
PID 2160 wrote to memory of 2916	2160	loader0.exe	34
PID 2160 wrote to memory of 2724	2160	loader0.exe	35
PID 2160 wrote to memory of 2724	2160	loader0.exe	35
PID 2160 wrote to memory of 2724	2160	loader0.exe	35
PID 2160 wrote to memory of 2724	2160	loader0.exe	35
PID 2916 wrote to memory of 2648	2916	WScript.exe	36
PID 2916 wrote to memory of 2648	2916	WScript.exe	36
PID 2916 wrote to memory of 2648	2916	WScript.exe	36
PID 2916 wrote to memory of 2648	2916	WScript.exe	36
PID 2648 wrote to memory of 3048	2648	cmd.exe	38
PID 2648 wrote to memory of 3048	2648	cmd.exe	38
PID 2648 wrote to memory of 3048	2648	cmd.exe	38
PID 2648 wrote to memory of 3048	2648	cmd.exe	38
PID 3048 wrote to memory of 2368	3048	AgentDriversession.exe	70
PID 3048 wrote to memory of 2368	3048	AgentDriversession.exe	70
PID 3048 wrote to memory of 2368	3048	AgentDriversession.exe	70
PID 2352 wrote to memory of 2892	2352	Umbral.exe	71
PID 2352 wrote to memory of 2892	2352	Umbral.exe	71
PID 2352 wrote to memory of 2892	2352	Umbral.exe	71
PID 2352 wrote to memory of 3052	2352	Umbral.exe	76
PID 2352 wrote to memory of 3052	2352	Umbral.exe	76
PID 2352 wrote to memory of 3052	2352	Umbral.exe	76
PID 2352 wrote to memory of 1440	2352	Umbral.exe	78
PID 2352 wrote to memory of 1440	2352	Umbral.exe	78
PID 2352 wrote to memory of 1440	2352	Umbral.exe	78
PID 2352 wrote to memory of 1636	2352	Umbral.exe	81
PID 2352 wrote to memory of 1636	2352	Umbral.exe	81
PID 2352 wrote to memory of 1636	2352	Umbral.exe	81
PID 2368 wrote to memory of 1944	2368	cmd.exe	83
PID 2368 wrote to memory of 1944	2368	cmd.exe	83
PID 2368 wrote to memory of 1944	2368	cmd.exe	83
PID 2368 wrote to memory of 804	2368	cmd.exe	84
PID 2368 wrote to memory of 804	2368	cmd.exe	84
PID 2368 wrote to memory of 804	2368	cmd.exe	84
PID 2352 wrote to memory of 2684	2352	Umbral.exe	85
PID 2352 wrote to memory of 2684	2352	Umbral.exe	85
PID 2352 wrote to memory of 2684	2352	Umbral.exe	85
PID 2352 wrote to memory of 2640	2352	Umbral.exe	87
PID 2352 wrote to memory of 2640	2352	Umbral.exe	87
PID 2352 wrote to memory of 2640	2352	Umbral.exe	87
PID 2784 wrote to memory of 572	2784	WmZWbh4b.exe	89
PID 2784 wrote to memory of 572	2784	WmZWbh4b.exe	89

System policy modification 1 TTPs 6 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	AgentDriversession.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3052	attrib.exe
572	attrib.exe
1688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\392fcfb7445ce64079d2de971877520e.exe
"C:\Users\Admin\AppData\Local\Temp\392fcfb7445ce64079d2de971877520e.exe"
1⤵
- DcRat
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\loader0.exe
  "C:\Users\Admin\AppData\Local\Temp\loader0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewCrt\jVfhzQMFI0iTNziih7b.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\reviewCrt\tYuCM.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\reviewCrt\AgentDriversession.exe
        
        "C:\reviewCrt\AgentDriversession.exe"
        5⤵
        DcRat
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3048
      - C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e0efb37-15f0-4ca8-ab76-3d99f86b457d.vbs"
        7⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e752767-ac0f-46c1-92d9-4e7dabe30c88.vbs"
        7⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\CNUBWLN86RZHT2Q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CNUBWLN86RZHT2Q.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PortsurrogateWinhostdhcp\ya0aIw.vbe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\PortsurrogateWinhostdhcp\AW1Fe6Q61HGStQsO0.bat" "
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe
        
        "C:\PortsurrogateWinhostdhcp/WebReviewWinSvc.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Sonata\explorer.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\reviewCrt\smss.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\dwm.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otAs0TL0l6.bat"
        11⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:448
        
        C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe
        
        "C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe"
        12⤵
        Executes dropped EXE
        
        PID:204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewCrt\file.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe
    "C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:572
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec\$77svchost.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1688
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp24FE.tmp.bat""
      4⤵
      Loads dropped DLL
      PID:2952
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2400
    - - C:\Users\Admin\Exec\$77svchost.exe
        
        "C:\Users\Admin\Exec\$77svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:212
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svchost.exe
        6⤵
        
        PID:2692
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\Exec\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svchost.exe
        6⤵
        
        PID:1956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2920
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:3052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:836
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2988
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:900
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2380
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\reviewCrt\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\reviewCrt\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\reviewCrt\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\reviewCrt\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\reviewCrt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\reviewCrt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Sonata\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Sonata\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\reviewCrt\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\reviewCrt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\reviewCrt\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\PortsurrogateWinhostdhcp\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\PortsurrogateWinhostdhcp\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 13 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvc" /sc ONLOGON /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebReviewWinSvcW" /sc MINUTE /mo 6 /tr "'C:\PortsurrogateWinhostdhcp\WebReviewWinSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry