dcrat | 4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Size

4.9MB
MD5

85ab5c50c78b5db54a69d9f85c8d07ff
SHA1

112a5c1bf9a479baf32c8196ba4b1bc24b27541e
SHA256

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21
SHA512

2978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 63 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		1472	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		2208	schtasks.exe
		872	schtasks.exe
		1396	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\cc11b995f2a76d		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		1732	schtasks.exe
		1816	schtasks.exe
		1736	schtasks.exe
		2660	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\0a1fd5f707cd16		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		2208	schtasks.exe
		2860	schtasks.exe
		1932	schtasks.exe
		1344	schtasks.exe
		2820	schtasks.exe
		2680	schtasks.exe
File created	C:\Program Files\Windows Mail\en-US\101b941d020240		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		1472	schtasks.exe
		2412	schtasks.exe
		2832	schtasks.exe
		908	schtasks.exe
		2380	schtasks.exe
		3000	schtasks.exe
		1572	schtasks.exe
		2800	schtasks.exe
		1224	schtasks.exe
		2632	schtasks.exe
		2940	schtasks.exe
		2740	schtasks.exe
		2572	schtasks.exe
		2008	schtasks.exe
		1760	schtasks.exe
		2144	schtasks.exe
		2972	schtasks.exe
		764	schtasks.exe
		1768	schtasks.exe
		1384	schtasks.exe
		2856	schtasks.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\27d1bcfc3c54e0		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		692	schtasks.exe
		1784	schtasks.exe
		744	schtasks.exe
		2636	schtasks.exe
		2648	schtasks.exe
		2840	schtasks.exe
		2924	schtasks.exe
		2204	schtasks.exe
		2100	schtasks.exe
		1860	schtasks.exe
		1304	schtasks.exe
		828	schtasks.exe
		1828	schtasks.exe
		1560	schtasks.exe
		2608	schtasks.exe
		2432	schtasks.exe
		264	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24		4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
		1672	schtasks.exe
		2972	schtasks.exe
		2724	schtasks.exe
		2376	schtasks.exe
		2608	schtasks.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2996	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2644-3-0x000000001B660000-0x000000001B78E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2248	powershell.exe
2612	powershell.exe
1580	powershell.exe
328	powershell.exe
788	powershell.exe
1720	powershell.exe
3036	powershell.exe
2320	powershell.exe
1020	powershell.exe
1316	powershell.exe
532	powershell.exe
1716	powershell.exe
2904	powershell.exe
1944	powershell.exe
1336	powershell.exe
2640	powershell.exe
2760	powershell.exe
2964	powershell.exe
236	powershell.exe
1564	powershell.exe
988	powershell.exe
1028	powershell.exe
1704	powershell.exe
1624	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid	Process
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2764	conhost.exe
1336	conhost.exe
2748	conhost.exe
2852	conhost.exe
2412	conhost.exe
2096	conhost.exe
1728	conhost.exe
3040	conhost.exe
2068	conhost.exe
1276	conhost.exe
1272	conhost.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.execonhost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Drops file in Program Files directory 22 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\en-US\lsm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Mail\en-US\101b941d020240	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\0a1fd5f707cd16	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXCCE.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\conhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Windows Mail\en-US\lsm.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Microsoft Office\Office14\088424020bedd6	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\27d1bcfc3c54e0	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\sppsvc.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCX1A2D.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\sppsvc.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files\Microsoft Office\Office14\conhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\cc11b995f2a76d	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\RCX15B8.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCX1E35.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Drops file in Windows directory 14 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\services.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\ShellNew\taskhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\ShellNew\b75386f1303e64	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Globalization\Sorting\088424020bedd6	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Globalization\Sorting\conhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Windows\Globalization\Sorting\conhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Boot\Fonts\conhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Globalization\MCT\c5b4cb5e9653cc	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Windows\ShellNew\taskhost.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXF3F.tmp	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
File created	C:\Windows\Globalization\MCT\services.exe	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2432	schtasks.exe
2208	schtasks.exe
1828	schtasks.exe
2636	schtasks.exe
1784	schtasks.exe
2632	schtasks.exe
264	schtasks.exe
1344	schtasks.exe
2856	schtasks.exe
2608	schtasks.exe
2008	schtasks.exe
2680	schtasks.exe
1732	schtasks.exe
2380	schtasks.exe
2940	schtasks.exe
828	schtasks.exe
1396	schtasks.exe
2820	schtasks.exe
3000	schtasks.exe
1572	schtasks.exe
1472	schtasks.exe
1560	schtasks.exe
2648	schtasks.exe
744	schtasks.exe
1768	schtasks.exe
2100	schtasks.exe
2832	schtasks.exe
2800	schtasks.exe
2860	schtasks.exe
1932	schtasks.exe
2204	schtasks.exe
2608	schtasks.exe
2412	schtasks.exe
1304	schtasks.exe
1760	schtasks.exe
1816	schtasks.exe
1672	schtasks.exe
1472	schtasks.exe
2840	schtasks.exe
2724	schtasks.exe
1860	schtasks.exe
2660	schtasks.exe
2740	schtasks.exe
2208	schtasks.exe
2376	schtasks.exe
908	schtasks.exe
2972	schtasks.exe
2924	schtasks.exe
764	schtasks.exe
872	schtasks.exe
2144	schtasks.exe
2972	schtasks.exe
2572	schtasks.exe
1736	schtasks.exe
1384	schtasks.exe
692	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid	Process
2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
236	powershell.exe
2248	powershell.exe
1336	powershell.exe
1944	powershell.exe
1720	powershell.exe
1624	powershell.exe
1564	powershell.exe
3036	powershell.exe
1704	powershell.exe
988	powershell.exe
2904	powershell.exe
1716	powershell.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
2320	powershell.exe
328	powershell.exe
1580	powershell.exe
788	powershell.exe
2964	powershell.exe
2640	powershell.exe
2760	powershell.exe
1020	powershell.exe
1028	powershell.exe
2612	powershell.exe
532	powershell.exe
1316	powershell.exe
2764	conhost.exe
1336	conhost.exe
2748	conhost.exe
2852	conhost.exe
2412	conhost.exe
2096	conhost.exe
1728	conhost.exe
3040	conhost.exe
2068	conhost.exe
1276	conhost.exe
1272	conhost.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	pid	Process
Token: SeDebugPrivilege	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2764	conhost.exe
Token: SeDebugPrivilege	1336	conhost.exe
Token: SeDebugPrivilege	2748	conhost.exe
Token: SeDebugPrivilege	2852	conhost.exe
Token: SeDebugPrivilege	2412	conhost.exe
Token: SeDebugPrivilege	2096	conhost.exe
Token: SeDebugPrivilege	1728	conhost.exe
Token: SeDebugPrivilege	3040	conhost.exe
Token: SeDebugPrivilege	2068	conhost.exe
Token: SeDebugPrivilege	1276	conhost.exe
Token: SeDebugPrivilege	1272	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 236	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	58
PID 2644 wrote to memory of 236	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	58
PID 2644 wrote to memory of 236	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	58
PID 2644 wrote to memory of 1564	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	59
PID 2644 wrote to memory of 1564	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	59
PID 2644 wrote to memory of 1564	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	59
PID 2644 wrote to memory of 1716	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	60
PID 2644 wrote to memory of 1716	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	60
PID 2644 wrote to memory of 1716	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	60
PID 2644 wrote to memory of 2904	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	61
PID 2644 wrote to memory of 2904	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	61
PID 2644 wrote to memory of 2904	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	61
PID 2644 wrote to memory of 1944	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	62
PID 2644 wrote to memory of 1944	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	62
PID 2644 wrote to memory of 1944	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	62
PID 2644 wrote to memory of 1720	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	63
PID 2644 wrote to memory of 1720	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	63
PID 2644 wrote to memory of 1720	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	63
PID 2644 wrote to memory of 1704	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	64
PID 2644 wrote to memory of 1704	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	64
PID 2644 wrote to memory of 1704	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	64
PID 2644 wrote to memory of 1624	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	65
PID 2644 wrote to memory of 1624	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	65
PID 2644 wrote to memory of 1624	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	65
PID 2644 wrote to memory of 1336	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	66
PID 2644 wrote to memory of 1336	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	66
PID 2644 wrote to memory of 1336	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	66
PID 2644 wrote to memory of 3036	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	67
PID 2644 wrote to memory of 3036	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	67
PID 2644 wrote to memory of 3036	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	67
PID 2644 wrote to memory of 2248	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	68
PID 2644 wrote to memory of 2248	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	68
PID 2644 wrote to memory of 2248	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	68
PID 2644 wrote to memory of 988	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	69
PID 2644 wrote to memory of 988	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	69
PID 2644 wrote to memory of 988	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	69
PID 2644 wrote to memory of 1764	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	82
PID 2644 wrote to memory of 1764	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	82
PID 2644 wrote to memory of 1764	2644	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	82
PID 1764 wrote to memory of 2320	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	113
PID 1764 wrote to memory of 2320	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	113
PID 1764 wrote to memory of 2320	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	113
PID 1764 wrote to memory of 2964	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	114
PID 1764 wrote to memory of 2964	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	114
PID 1764 wrote to memory of 2964	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	114
PID 1764 wrote to memory of 2612	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	116
PID 1764 wrote to memory of 2612	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	116
PID 1764 wrote to memory of 2612	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	116
PID 1764 wrote to memory of 788	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	117
PID 1764 wrote to memory of 788	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	117
PID 1764 wrote to memory of 788	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	117
PID 1764 wrote to memory of 2640	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	118
PID 1764 wrote to memory of 2640	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	118
PID 1764 wrote to memory of 2640	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	118
PID 1764 wrote to memory of 1580	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	119
PID 1764 wrote to memory of 1580	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	119
PID 1764 wrote to memory of 1580	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	119
PID 1764 wrote to memory of 1316	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	120
PID 1764 wrote to memory of 1316	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	120
PID 1764 wrote to memory of 1316	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	120
PID 1764 wrote to memory of 328	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	121
PID 1764 wrote to memory of 328	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	121
PID 1764 wrote to memory of 328	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	121
PID 1764 wrote to memory of 1020	1764	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe	122

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.exe4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.execonhost.execonhost.execonhost.execonhost.execonhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
"C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
  "C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\Globalization\Sorting\conhost.exe
    "C:\Windows\Globalization\Sorting\conhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e98551b-fe91-485c-8978-e00c707a9d2f.vbs"
      4⤵
      PID:1768
    - - C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1336
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9262fb84-a4e7-4c67-9071-6b63e47752e1.vbs"
        6⤵
        
        PID:1152
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fff9864-4cf7-4347-8254-fafbc0f887fe.vbs"
        8⤵
        
        PID:316
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53efb59-47fd-48d3-9ac2-d46d1d836494.vbs"
        10⤵
        
        PID:1928
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a42e98b-37ff-4f9d-a296-f7d7e011339a.vbs"
        12⤵
        
        PID:2924
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cce79c58-3ada-4546-b373-80d442a561f4.vbs"
        14⤵
        
        PID:1680
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832716e6-da97-4d1c-bd9a-f0001ae5470d.vbs"
        16⤵
        
        PID:2460
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b2e1e66-2459-4f15-9412-7e8149539ae8.vbs"
        18⤵
        
        PID:2680
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04778873-4537-48fe-a853-4bd7adcdc0b4.vbs"
        20⤵
        
        PID:2448
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e869d18-aca6-4612-88c4-d2bd8bca4879.vbs"
        22⤵
        
        PID:2232
        
        C:\Windows\Globalization\Sorting\conhost.exe
        
        C:\Windows\Globalization\Sorting\conhost.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f3c5fe-ea4f-4e9a-9648-1b390c829efc.vbs"
        24⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17355e5f-045d-497b-8a77-a8440b1451f4.vbs"
        24⤵
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3933fba9-4819-4221-8715-d746b482924d.vbs"
        22⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13f1e79-d208-4848-a801-e559c4004c25.vbs"
        20⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c44c4b-debf-424c-ba07-63ac204ac3d9.vbs"
        18⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e2698d-6f38-493f-a556-a2800e973d6d.vbs"
        16⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b2bbf71-3eec-45c5-988c-54a87c16ce0a.vbs"
        14⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\097569af-2eb1-4476-b468-965bf57fea2d.vbs"
        12⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfdc78c-8626-4f5c-b19f-8b88e5e5d832.vbs"
        10⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f265e57-a71c-4f1e-a99e-00720cce9bb6.vbs"
        8⤵
        
        PID:344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b51149c6-27cb-4170-b4a3-e5be0dba0657.vbs"
        6⤵
        
        PID:872
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\872fdc51-ad4e-46d4-a29d-58f00f2ff8f1.vbs"
      4⤵
      PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\MCT\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System.exe

Filesize
4.9MB

MD5
85ab5c50c78b5db54a69d9f85c8d07ff

SHA1
112a5c1bf9a479baf32c8196ba4b1bc24b27541e

SHA256
4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21

SHA512
2978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\04778873-4537-48fe-a853-4bd7adcdc0b4.vbs

Filesize
720B

MD5
97244e66a8df1554e716d8b4b18ca0cd

SHA1
9fd3fd7aa68152b055d2ad7c05f5a56d4e1504b7

SHA256
46c35db46c12fbe0ec2eebdcf02ff5fcd8587e75f3e3fdffbf634727effb8f53

SHA512
0083d1b91acc9b538a37b5e8e09395d8fb340613d2c9652b70389d8321091cc6daf1d914045a79de6b07eb247722a832f76d56116ccd217c1054accfcdffa9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a42e98b-37ff-4f9d-a296-f7d7e011339a.vbs

Filesize
720B

MD5
46101945e0de1193e323afa0f3f5c14e

SHA1
9d8258e82cb7c77374889f5bb3252724005169a9

SHA256
3b6336b50da392ec51ff9fd9f59acb5a57d778b68104eac4572421124537901c

SHA512
04591526ffdb86c51e99099c5d40a49dcd65814d2473154a0c6a71126b39f6a570c3c6d6c0f6919e207f9d2d70e0c401d0b5482c5e48c8866e699ef9b719278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e98551b-fe91-485c-8978-e00c707a9d2f.vbs

Filesize
720B

MD5
8b196b9f0de1c703af94f22d153e61d5

SHA1
ec004c0558fd59dc80d18e76ff6e1fff896d39d4

SHA256
68a29927106e4037b4169ea76b30b0217819c61ec31c59850a8374ef92dfd6ea

SHA512
a430760cffb632ad9b27b635a84b702375a27f824af3fd8bff2709665658f7cfcfb2832780fade91abbf33510eac9a0b78e063f6e4d63e1d54f1e043dd5d5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b2e1e66-2459-4f15-9412-7e8149539ae8.vbs

Filesize
720B

MD5
f981b61634c729ae3a8e832d3b4cd794

SHA1
a5ac35380ccca29382dff7ce2430096e72d00bd6

SHA256
207238dc7c7e47b32777881f84ac9c5b78348a04a8db156f8e9c7db2786e876b

SHA512
0d7ff5f427444d4c6a5eb1593cb596faecb33a08528124db73a93e7bff39f55b3e63dbfff75634c0487bcf8f382a7c14fe7989847e26f907f4c2da8fa5b68c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fff9864-4cf7-4347-8254-fafbc0f887fe.vbs

Filesize
720B

MD5
cb9a123d4f4232b72ed168160d2b4c1b

SHA1
f12d28c5b77596c44153fe2d2af0be9c59dac230

SHA256
1981bd7ac3919165e09ceea7585261417fea6e50f403f098a0953dbe8509640e

SHA512
6a34168623458f8c336853dd2c79d0ce902523bc1553574cac00933ecfe856a410649d48e3790762a669d007728e2bcf860216fc515a3d3df4d84453eae8868a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e869d18-aca6-4612-88c4-d2bd8bca4879.vbs

Filesize
720B

MD5
6b8e49323ae410e3887cdf945388f547

SHA1
4f22bf9f463eb7a973877e7d887b787c233f710c

SHA256
54a1c8cad57aa4a5cd93f22dcf5aebe0c1cd17c4c19fcc34f7800417419adddc

SHA512
6fc0d8591afdb981cce944bcd18a9274bc8a6761b3ca69d4c5bcc5abf5616bb1a656297c8298ee10bfa6dea7211668ad4c9f4ab9202b4451a1739d9e0d3d8e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\832716e6-da97-4d1c-bd9a-f0001ae5470d.vbs

Filesize
720B

MD5
957e6bd4c20c592878f4a6481db1f573

SHA1
a293fbb9390827f59d3b777f975eb930303f0da4

SHA256
e4a2c3c418cdb53d2ed97492743e73b8b4f7052aa1d9abc6610bdfc69b22c06c

SHA512
e4c020494a401df3fc2ce05dbc4925bc3e22e2f115b16f7fe10b3a442bfa7328fd01926b258b4099f799c547636193cd998fb5ed8f7d7e998ea6fac9e5675857

Download Submit
C:\Users\Admin\AppData\Local\Temp\872fdc51-ad4e-46d4-a29d-58f00f2ff8f1.vbs

Filesize
496B

MD5
fb11402acb34e547beb07b1ef13e4709

SHA1
4a8b69e815e281b3c8746d74d97f978adef5e571

SHA256
12effc24453dc14823c50330b0de3c59f5b8888b53db06bfc09bd0b55b6d5a5d

SHA512
fe97f0a6a4a306afbc001f2ee8c2734ae0edc4c3b7bf51818dd7e5fca26648a516910b057f8aee6e73905f0c5357fbaba6fa02ea1c88f9852b6690aa71ee5cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9262fb84-a4e7-4c67-9071-6b63e47752e1.vbs

Filesize
720B

MD5
04d482a6db61504965267e9ab36d105e

SHA1
58f32be527da4b457ba075435dcb695186831507

SHA256
d023a7ce8c864b90a8a526ab4ea0d6382e81dbd721f10e979cb995a9befb1739

SHA512
aee084666744a81763f9c8885e69062a13c40a164264c4ae83dc10f5daa8779ecd81a67a0d321c5b5c7a6f70dc201cb43936b204f4c9e4295452cc7cdeedd875

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53efb59-47fd-48d3-9ac2-d46d1d836494.vbs

Filesize
720B

MD5
bd1126cb5cb05e831f2261e7b223f0b8

SHA1
5c5303654eddba573c5f3edac970120f6c7094b4

SHA256
e0d2e98e1c02f0cdbe42b31a7bec4902d085f9a32f14ef3424c72145dd0bcde8

SHA512
c01da76dc25287d3b0dc882647da27077e3d8b1e602e345584474300b94ba072184b80c3ef95aba7419ad10d7ae9834bda45df61b6e3b12ae0fa0541402cf564

Download Submit
C:\Users\Admin\AppData\Local\Temp\cce79c58-3ada-4546-b373-80d442a561f4.vbs

Filesize
720B

MD5
60007e8dbb18fea145103a98a075bd9f

SHA1
56de5758f582256e4c79ec34bc03b2ad6cae0aea

SHA256
8ccf6692628ae4e908d856f1996ceaecce6cd567d612c6226dc4a06dac0c5b05

SHA512
b9f6e44f51028fdcbb7c42e8b16e1971f13b58a5b2513f3203a5c8e470b6a97ffe85c5c0515eae78eaa8896a813a1919811c8361051dbeea09a62faed9eccf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2DB5.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea1569dbf87387dffb8d78d3b8d5b9c3

SHA1
ce47ac45796a2250252c072f259df4b2bc31a4e2

SHA256
d1b4ba72855f534e0bc90b80cab5b6be23c7c9a96f9905bf8c1e5fb7c20e2dbe

SHA512
d570251d5d15c7ef68caafed238fae03c86ac976d5c39e7dd49ce2bf577c5b58dd63598a09f84d2f4a36801ef467cdbb51b3b0affb2de019f64c1008b47fcfde

Download Submit
memory/236-113-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/236-111-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/1728-360-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/2096-345-0x0000000000980000-0x0000000000E74000-memory.dmp

Filesize
5.0MB

Download
memory/2320-213-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2320-233-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2412-330-0x00000000000D0000-0x00000000005C4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2644-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2644-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2644-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2644-1-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2644-3-0x000000001B660000-0x000000001B78E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2644-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2644-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2644-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2644-0-0x000007FEF5FE3000-0x000007FEF5FE4000-memory.dmp

Filesize
4KB

Download
memory/2644-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2644-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2644-118-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-6-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2644-5-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2644-4-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/2644-2-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-274-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/2764-273-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download