dcrat | 6e5aad0db5a6d82f3aadef1cd9856462367d2abc7da9e23adb90e6c738b830f0

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e427fad65a1acee051224babed62e00N.exe
Size

4.9MB
MD5

2e427fad65a1acee051224babed62e00
SHA1

9f01f207c5213f3adf2d0ddd0806135c96e03d84
SHA256

6e5aad0db5a6d82f3aadef1cd9856462367d2abc7da9e23adb90e6c738b830f0
SHA512

6c26bd4fa1a96c9a5d78bdd71b707d3f553d04f462a35fc5ad34c229fd9cb7dfac2d3e409a7b2562541a785c32c881b27b2ff94eccc8a5e9a555945be9f7cc3b
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 51 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\1610b97d3ab4a7		2e427fad65a1acee051224babed62e00N.exe
		756	schtasks.exe
		1732	schtasks.exe
		1072	schtasks.exe
		2440	schtasks.exe
		1676	schtasks.exe
		3036	schtasks.exe
		2300	schtasks.exe
		2828	schtasks.exe
		2868	schtasks.exe
		2700	schtasks.exe
File created	C:\Windows\AppPatch\56085415360792		2e427fad65a1acee051224babed62e00N.exe
		2140	schtasks.exe
		2112	schtasks.exe
		2540	schtasks.exe
		3012	schtasks.exe
		1976	schtasks.exe
File created	C:\Program Files\Microsoft Games\101b941d020240		2e427fad65a1acee051224babed62e00N.exe
		1372	schtasks.exe
		2256	schtasks.exe
		2500	schtasks.exe
		2432	schtasks.exe
		2620	schtasks.exe
		1936	schtasks.exe
		1956	schtasks.exe
		2740	schtasks.exe
		2728	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		2e427fad65a1acee051224babed62e00N.exe
		2848	schtasks.exe
		944	schtasks.exe
		1544	schtasks.exe
		2856	schtasks.exe
		2764	schtasks.exe
File created	C:\Windows\addins\27d1bcfc3c54e0		2e427fad65a1acee051224babed62e00N.exe
		2096	schtasks.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7		2e427fad65a1acee051224babed62e00N.exe
		2052	schtasks.exe
		1420	schtasks.exe
		2928	schtasks.exe
		2892	schtasks.exe
		2944	schtasks.exe
		2844	schtasks.exe
		2604	schtasks.exe
		2296	schtasks.exe
		380	schtasks.exe
		1900	schtasks.exe
		1952	schtasks.exe
		1520	schtasks.exe
		2780	schtasks.exe
		1248	schtasks.exe
		2544	schtasks.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2320	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2100-3-0x000000001B850000-0x000000001B97E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
1324	powershell.exe
824	powershell.exe
1444	powershell.exe
1372	powershell.exe
2304	powershell.exe
2576	powershell.exe
444	powershell.exe
1124	powershell.exe
2584	powershell.exe
1908	powershell.exe
2692	powershell.exe
2924	powershell.exe
788	powershell.exe
820	powershell.exe
316	powershell.exe
684	powershell.exe
2916	powershell.exe
1492	powershell.exe
1148	powershell.exe
304	powershell.exe
1260	powershell.exe
3004	powershell.exe
544	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2344	2e427fad65a1acee051224babed62e00N.exe
1944	Idle.exe
1048	Idle.exe
316	Idle.exe
2976	Idle.exe
1952	Idle.exe
108	Idle.exe
2352	Idle.exe
2868	Idle.exe
2372	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\Microsoft Games\101b941d020240	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\OSPPSVC.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files\Microsoft Games\lsm.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\Microsoft Games\lsm.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\OSPPSVC.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXAC78.tmp	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA9F7.tmp	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXB4F5.tmp	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\6ccacd8608530f	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\1610b97d3ab4a7	2e427fad65a1acee051224babed62e00N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\wininit.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\AppPatch\56085415360792	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\Migration\56085415360792	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\inf\BITS\040C\services.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\inf\BITS\040C\c5b4cb5e9653cc	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\Logs\winlogon.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\AppPatch\RCXA7F4.tmp	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\addins\RCXAE7D.tmp	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\inf\BITS\040C\services.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\Logs\winlogon.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\addins\System.exe	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\addins\System.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\Migration\wininit.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\Logs\cc11b995f2a76d	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\AppPatch\wininit.exe	2e427fad65a1acee051224babed62e00N.exe
File created	C:\Windows\addins\27d1bcfc3c54e0	2e427fad65a1acee051224babed62e00N.exe
File opened for modification	C:\Windows\Migration\wininit.exe	2e427fad65a1acee051224babed62e00N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
2944	schtasks.exe
2604	schtasks.exe
1732	schtasks.exe
1900	schtasks.exe
1520	schtasks.exe
1956	schtasks.exe
1420	schtasks.exe
2500	schtasks.exe
2868	schtasks.exe
1544	schtasks.exe
2828	schtasks.exe
2256	schtasks.exe
2096	schtasks.exe
2544	schtasks.exe
2892	schtasks.exe
2296	schtasks.exe
2740	schtasks.exe
1936	schtasks.exe
2300	schtasks.exe
380	schtasks.exe
2140	schtasks.exe
2700	schtasks.exe
2764	schtasks.exe
1976	schtasks.exe
2112	schtasks.exe
3036	schtasks.exe
1248	schtasks.exe
1952	schtasks.exe
2856	schtasks.exe
1072	schtasks.exe
2928	schtasks.exe
1676	schtasks.exe
2052	schtasks.exe
3012	schtasks.exe
2728	schtasks.exe
2848	schtasks.exe
1372	schtasks.exe
944	schtasks.exe
2432	schtasks.exe
2620	schtasks.exe
2440	schtasks.exe
756	schtasks.exe
2844	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2100	2e427fad65a1acee051224babed62e00N.exe
2100	2e427fad65a1acee051224babed62e00N.exe
2100	2e427fad65a1acee051224babed62e00N.exe
2924	powershell.exe
824	powershell.exe
820	powershell.exe
1148	powershell.exe
1124	powershell.exe
2584	powershell.exe
788	powershell.exe
444	powershell.exe
304	powershell.exe
1444	powershell.exe
1324	powershell.exe
1492	powershell.exe
2344	2e427fad65a1acee051224babed62e00N.exe
2344	2e427fad65a1acee051224babed62e00N.exe
2344	2e427fad65a1acee051224babed62e00N.exe
2344	2e427fad65a1acee051224babed62e00N.exe
2344	2e427fad65a1acee051224babed62e00N.exe
1908	powershell.exe
2304	powershell.exe
316	powershell.exe
2692	powershell.exe
2688	powershell.exe
684	powershell.exe
1372	powershell.exe
2576	powershell.exe
544	powershell.exe
2916	powershell.exe
3004	powershell.exe
1260	powershell.exe
1944	Idle.exe
1048	Idle.exe
316	Idle.exe
2976	Idle.exe
1952	Idle.exe
108	Idle.exe
2352	Idle.exe
2868	Idle.exe
2372	Idle.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2e427fad65a1acee051224babed62e00N.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2344	2e427fad65a1acee051224babed62e00N.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1944	Idle.exe
Token: SeDebugPrivilege	1048	Idle.exe
Token: SeDebugPrivilege	316	Idle.exe
Token: SeDebugPrivilege	2976	Idle.exe
Token: SeDebugPrivilege	1952	Idle.exe
Token: SeDebugPrivilege	108	Idle.exe
Token: SeDebugPrivilege	2352	Idle.exe
Token: SeDebugPrivilege	2868	Idle.exe
Token: SeDebugPrivilege	2372	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1492	2100	2e427fad65a1acee051224babed62e00N.exe	52
PID 2100 wrote to memory of 1492	2100	2e427fad65a1acee051224babed62e00N.exe	52
PID 2100 wrote to memory of 1492	2100	2e427fad65a1acee051224babed62e00N.exe	52
PID 2100 wrote to memory of 1148	2100	2e427fad65a1acee051224babed62e00N.exe	53
PID 2100 wrote to memory of 1148	2100	2e427fad65a1acee051224babed62e00N.exe	53
PID 2100 wrote to memory of 1148	2100	2e427fad65a1acee051224babed62e00N.exe	53
PID 2100 wrote to memory of 2924	2100	2e427fad65a1acee051224babed62e00N.exe	54
PID 2100 wrote to memory of 2924	2100	2e427fad65a1acee051224babed62e00N.exe	54
PID 2100 wrote to memory of 2924	2100	2e427fad65a1acee051224babed62e00N.exe	54
PID 2100 wrote to memory of 1324	2100	2e427fad65a1acee051224babed62e00N.exe	55
PID 2100 wrote to memory of 1324	2100	2e427fad65a1acee051224babed62e00N.exe	55
PID 2100 wrote to memory of 1324	2100	2e427fad65a1acee051224babed62e00N.exe	55
PID 2100 wrote to memory of 824	2100	2e427fad65a1acee051224babed62e00N.exe	56
PID 2100 wrote to memory of 824	2100	2e427fad65a1acee051224babed62e00N.exe	56
PID 2100 wrote to memory of 824	2100	2e427fad65a1acee051224babed62e00N.exe	56
PID 2100 wrote to memory of 788	2100	2e427fad65a1acee051224babed62e00N.exe	57
PID 2100 wrote to memory of 788	2100	2e427fad65a1acee051224babed62e00N.exe	57
PID 2100 wrote to memory of 788	2100	2e427fad65a1acee051224babed62e00N.exe	57
PID 2100 wrote to memory of 820	2100	2e427fad65a1acee051224babed62e00N.exe	58
PID 2100 wrote to memory of 820	2100	2e427fad65a1acee051224babed62e00N.exe	58
PID 2100 wrote to memory of 820	2100	2e427fad65a1acee051224babed62e00N.exe	58
PID 2100 wrote to memory of 1444	2100	2e427fad65a1acee051224babed62e00N.exe	59
PID 2100 wrote to memory of 1444	2100	2e427fad65a1acee051224babed62e00N.exe	59
PID 2100 wrote to memory of 1444	2100	2e427fad65a1acee051224babed62e00N.exe	59
PID 2100 wrote to memory of 444	2100	2e427fad65a1acee051224babed62e00N.exe	60
PID 2100 wrote to memory of 444	2100	2e427fad65a1acee051224babed62e00N.exe	60
PID 2100 wrote to memory of 444	2100	2e427fad65a1acee051224babed62e00N.exe	60
PID 2100 wrote to memory of 1124	2100	2e427fad65a1acee051224babed62e00N.exe	61
PID 2100 wrote to memory of 1124	2100	2e427fad65a1acee051224babed62e00N.exe	61
PID 2100 wrote to memory of 1124	2100	2e427fad65a1acee051224babed62e00N.exe	61
PID 2100 wrote to memory of 304	2100	2e427fad65a1acee051224babed62e00N.exe	62
PID 2100 wrote to memory of 304	2100	2e427fad65a1acee051224babed62e00N.exe	62
PID 2100 wrote to memory of 304	2100	2e427fad65a1acee051224babed62e00N.exe	62
PID 2100 wrote to memory of 2584	2100	2e427fad65a1acee051224babed62e00N.exe	63
PID 2100 wrote to memory of 2584	2100	2e427fad65a1acee051224babed62e00N.exe	63
PID 2100 wrote to memory of 2584	2100	2e427fad65a1acee051224babed62e00N.exe	63
PID 2100 wrote to memory of 1184	2100	2e427fad65a1acee051224babed62e00N.exe	76
PID 2100 wrote to memory of 1184	2100	2e427fad65a1acee051224babed62e00N.exe	76
PID 2100 wrote to memory of 1184	2100	2e427fad65a1acee051224babed62e00N.exe	76
PID 1184 wrote to memory of 1540	1184	cmd.exe	78
PID 1184 wrote to memory of 1540	1184	cmd.exe	78
PID 1184 wrote to memory of 1540	1184	cmd.exe	78
PID 1184 wrote to memory of 2344	1184	cmd.exe	80
PID 1184 wrote to memory of 2344	1184	cmd.exe	80
PID 1184 wrote to memory of 2344	1184	cmd.exe	80
PID 2344 wrote to memory of 316	2344	2e427fad65a1acee051224babed62e00N.exe	105
PID 2344 wrote to memory of 316	2344	2e427fad65a1acee051224babed62e00N.exe	105
PID 2344 wrote to memory of 316	2344	2e427fad65a1acee051224babed62e00N.exe	105
PID 2344 wrote to memory of 1908	2344	2e427fad65a1acee051224babed62e00N.exe	106
PID 2344 wrote to memory of 1908	2344	2e427fad65a1acee051224babed62e00N.exe	106
PID 2344 wrote to memory of 1908	2344	2e427fad65a1acee051224babed62e00N.exe	106
PID 2344 wrote to memory of 2688	2344	2e427fad65a1acee051224babed62e00N.exe	108
PID 2344 wrote to memory of 2688	2344	2e427fad65a1acee051224babed62e00N.exe	108
PID 2344 wrote to memory of 2688	2344	2e427fad65a1acee051224babed62e00N.exe	108
PID 2344 wrote to memory of 684	2344	2e427fad65a1acee051224babed62e00N.exe	109
PID 2344 wrote to memory of 684	2344	2e427fad65a1acee051224babed62e00N.exe	109
PID 2344 wrote to memory of 684	2344	2e427fad65a1acee051224babed62e00N.exe	109
PID 2344 wrote to memory of 2576	2344	2e427fad65a1acee051224babed62e00N.exe	110
PID 2344 wrote to memory of 2576	2344	2e427fad65a1acee051224babed62e00N.exe	110
PID 2344 wrote to memory of 2576	2344	2e427fad65a1acee051224babed62e00N.exe	110
PID 2344 wrote to memory of 1260	2344	2e427fad65a1acee051224babed62e00N.exe	113
PID 2344 wrote to memory of 1260	2344	2e427fad65a1acee051224babed62e00N.exe	113
PID 2344 wrote to memory of 1260	2344	2e427fad65a1acee051224babed62e00N.exe	113
PID 2344 wrote to memory of 1372	2344	2e427fad65a1acee051224babed62e00N.exe	115

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e427fad65a1acee051224babed62e00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe
"C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vyn9EiQSuF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe
    "C:\Users\Admin\AppData\Local\Temp\2e427fad65a1acee051224babed62e00N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VpzpaF2iWz.bat"
      4⤵
      PID:2444
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:632
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1944
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeb67e6c-3b74-468e-b577-2fd5f3800ffb.vbs"
        6⤵
        
        PID:2336
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e44361a-91f3-4706-a2c6-6574b061df78.vbs"
        8⤵
        
        PID:2440
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d480da0-76de-4d18-8ec3-96e1d95b93f1.vbs"
        10⤵
        
        PID:1940
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c896c22f-04be-4fc5-bd3e-f3c8e2d0362b.vbs"
        12⤵
        
        PID:2584
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a539389-11e1-486a-ac3a-20b34747cc41.vbs"
        14⤵
        
        PID:1052
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c6f4e7-e912-455e-a7ef-723a5b4c6132.vbs"
        16⤵
        
        PID:1324
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20aac581-8371-47af-9bbd-c7ab87f5c2e1.vbs"
        18⤵
        
        PID:3032
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cc60b89-e6ed-4079-97f3-59a9ead202b5.vbs"
        20⤵
        
        PID:2692
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d748ec-8773-4928-afab-d36364cee1b0.vbs"
        20⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b54eb1c-7469-4b88-8a9d-45ace4b5283a.vbs"
        18⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48b20813-b7d5-47ae-8592-ffe8554ae601.vbs"
        16⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8c8ce0c-9156-40a0-809a-b2fca457479e.vbs"
        14⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3732211a-c1c5-47a8-89d3-7b3bd41f5d6a.vbs"
        12⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33e6ec9-1fd1-40e7-bf01-a2a21ca09886.vbs"
        10⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8e0c38-ea6e-42f8-9d1b-2ed31cd90824.vbs"
        8⤵
        
        PID:2240
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aced4223-2d27-4d41-8d22-3aab0882a5df.vbs"
        6⤵
        
        PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\AppPatch\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e427fad65a1acee051224babed62e00N2" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\2e427fad65a1acee051224babed62e00N.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e427fad65a1acee051224babed62e00N" /sc ONLOGON /tr "'C:\Users\Default\Templates\2e427fad65a1acee051224babed62e00N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e427fad65a1acee051224babed62e00N2" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\2e427fad65a1acee051224babed62e00N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\BITS\040C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\BITS\040C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\BITS\040C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d480da0-76de-4d18-8ec3-96e1d95b93f1.vbs

Filesize
749B

MD5
7f99fd9a53bd6819851549d506ae7ac1

SHA1
1bf111144ff72fbf060fe49052e4575e5391afc7

SHA256
6458d635589dcc135a32fd7106f6f424c48973007aac85ece1a1354f73452e90

SHA512
59457e32f6bcc55a40b7b2a2096dd4aef5e0914bdae4bb2795ac4e9ba35ab1ab86d9368de49d3441be375100ebbdb669312765ef233fede037e1a0c1c525620c

Download Submit
C:\Users\Admin\AppData\Local\Temp\20aac581-8371-47af-9bbd-c7ab87f5c2e1.vbs

Filesize
750B

MD5
a3f67f133ef48228cf0995203d5111b9

SHA1
69ab121bbf44dbc4fd1dc7994cd2ddca58721f33

SHA256
ebf080b72db2acb4ddbad26bec76c8e9e92ee74fb4da0fe05360a6a9f0722fc4

SHA512
a940ef67d76a191102b4d7438ae470a3f533ad5e5bb36442fa5f5e98649ef76b2c939d70642b679a663f9d1817ddd79411f2b5a21cf5e020b871ffb63c040c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a539389-11e1-486a-ac3a-20b34747cc41.vbs

Filesize
750B

MD5
bc113c14d237d1ff35b02a1aee53ceca

SHA1
d5a78c7b50c444c63914a1743b3865a1d3126f85

SHA256
c9c2fce12052256a4c16a8403e811a5d24fa4e939fa1d482eaf2e2849f19128d

SHA512
3e41eafb312e130f500d7dfd0a3833664b91eeaf1a689d37dc9954bcfffe658e2468c79b0076bea73d469473d600ce3325bed5c48361404ca200721cdb913679

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e44361a-91f3-4706-a2c6-6574b061df78.vbs

Filesize
750B

MD5
3fbd84be5f9e8f699893b33919802f80

SHA1
e66bb82f6c67a104f6c67effeab17874a1590efc

SHA256
20597014879318941bb8d420be8237d0d355e1ffb151f6de7c0728e8db9ce211

SHA512
5686759ce7023b2f27a30a1938d72038bdb658e6d6749ffe56167e6041b4700f3a005b6fb222639d3bc0e4d7f18c9b5495fe540741c5ceddc529ee45fc26953e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cc60b89-e6ed-4079-97f3-59a9ead202b5.vbs

Filesize
750B

MD5
2177e98b1db891a82781526c75be7250

SHA1
a78ffd6d717638c7b0b621cfac460037398678ba

SHA256
f84d6dd891fbaf534677524d08b7297789f621ed5e483ee6c7c9943e9727a235

SHA512
d2db076da3170221749a747f95c9eefb4322a8db463ac552648c7f28ffed5a46be7f0e6263d014abd4101fc7c17a85e1c5383d0de69af294b9e45afb817309d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpzpaF2iWz.bat

Filesize
239B

MD5
5b6df5e20205479100a8654ac12fa887

SHA1
c0e43d126bf38bf359e5fcf5576597950f58b528

SHA256
e9994b8466a87f55da65f6c2d9d88ef711a23c7a76b2ee7c6021d3a9f5e91962

SHA512
fe755f55e96514e1c849407b418b0a569e93ae522b203812cffc799c19ff45615cc3c65839989940843786a0554c7be18fa675b276bd6930df73bb649d49123e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8c6f4e7-e912-455e-a7ef-723a5b4c6132.vbs

Filesize
749B

MD5
43b90cea5e3d99ea2aaf310c39ec6882

SHA1
b5e2d3998a2dd549fa7f6eb5a8e964a159e03962

SHA256
a448af255c122e57b58a3557e865fa9c0cc0ce35712a00dc032c8dcb5d573674

SHA512
5c808e44024bcd400336e23a2db35ce1a9c2def1ce826de676da934b9eeaf0e7a01a9217564d8f43f10b8b9389549ee84f13e4aaf4aaa7f40d70035345797942

Download Submit
C:\Users\Admin\AppData\Local\Temp\aced4223-2d27-4d41-8d22-3aab0882a5df.vbs

Filesize
526B

MD5
932a11314f9b3982fc02e9f704a245b3

SHA1
e807a666134f1c65905e0a71022fcce5776157fc

SHA256
119fb03fbcce09aeb2949740a242f1d2f644e69b506798c5da241e2852375317

SHA512
8f1a44a6a6d7e25b9f4d5fb4885a60525ae4ba043254e09922383fdaa633268da14fc1ac4fe034b9577530ffc3be058e47d56b52e47bfd16706a6dfbab63eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c896c22f-04be-4fc5-bd3e-f3c8e2d0362b.vbs

Filesize
750B

MD5
370e897513f48045ffb902b6469eb02e

SHA1
a98c249d3bd95ec1d21f0d135306b28c1e46ff80

SHA256
63db47acc6cf21c904cfc604dcf6de490339d950371cbfcc1bf09fa7b8d4ddb9

SHA512
e946173a3f03aa9461bd5abd82a6ae8926d65f4ede70aeca9bb970a749cf80dd925fcb656382ba37a33cc35e7fa6c78125ed785241c3791547c48d6f139bcfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeb67e6c-3b74-468e-b577-2fd5f3800ffb.vbs

Filesize
750B

MD5
9e116080938ecc01224a36ed7a979644

SHA1
c568ac531a0e950ab5996203d86b30b60d0c4b8c

SHA256
3c0ebbf9813af9a022feaa984487e64053959a9d44d556edbda65548afd78c1f

SHA512
d5d494ba8940f3bbf3260e91b547f7823973413ffb0664aa89f287f8cb800ff4d1904d0b1974937e58ef69fd568f47ad07e4bc4a39a2d2168cb081ea2e649391

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC5B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyn9EiQSuF.bat

Filesize
236B

MD5
f8ec8f8399e9486c19e3e1783b6cc672

SHA1
db61809e1e97267373d827cca25a8b4b59701320

SHA256
f9698ab5348a84e8fec3284c2ddb04d57d23a0cdde432e55bb352d6dac5fb4c4

SHA512
0c563c3676a7fed13faea984fb21aa47b8389e685eede6952c7055f0ce5a3cdd8d4c1551b71b9c7de25b2279d3f84d2f79d66e4e73941d50beb79210a0d41ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c093462677a27d4c89ac51c8fc2b09ae

SHA1
9e411eca336cde8022d636fa764bffbb09ebb735

SHA256
501876d2b225c0d808bd66f5d1a69674ade3fac0c0e6579bbbbfd8bb6192731a

SHA512
fccd5504cae065c91952fe9436dd5d872470453eb784ab9d1adf171aeb0a893397f987805f4978f9b280eae72234efda724dd6a85abe8d975ee457aa81f4d783

Download Submit
C:\Users\Default\services.exe

Filesize
4.9MB

MD5
2e427fad65a1acee051224babed62e00

SHA1
9f01f207c5213f3adf2d0ddd0806135c96e03d84

SHA256
6e5aad0db5a6d82f3aadef1cd9856462367d2abc7da9e23adb90e6c738b830f0

SHA512
6c26bd4fa1a96c9a5d78bdd71b707d3f553d04f462a35fc5ad34c229fd9cb7dfac2d3e409a7b2562541a785c32c881b27b2ff94eccc8a5e9a555945be9f7cc3b

Download Submit
memory/108-331-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/316-287-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/824-99-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1048-272-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/1908-203-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/1908-197-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/1944-258-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/1952-316-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2100-5-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2100-16-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2100-1-0x0000000000E40000-0x0000000001334000-memory.dmp

Filesize
5.0MB

Download
memory/2100-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2100-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-10-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2100-87-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-9-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2100-8-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/2100-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2100-7-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/2100-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2100-6-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2100-12-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/2100-15-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2100-4-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2100-13-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/2100-3-0x000000001B850000-0x000000001B97E000-memory.dmp

Filesize
1.2MB

Download
memory/2344-151-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2352-346-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/2372-376-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2868-361-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download
memory/2924-97-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download