dcrat | 3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Size

4.9MB
MD5

1911b6311a270c552cb6e21487fe3b96
SHA1

5e7c973851b8c3be5e977862d644c5bf02694b3a
SHA256

3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921
SHA512

7f8c341832fd3df6ed728c0bdad196179e8af1a10950b4d9105620bfcea1fb3280a034c9742eeca1ec9c81bbe44e264799629e7033397d0001bda08f642fda03
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2448	schtasks.exe
		2672	schtasks.exe
		2472	schtasks.exe
		1300	schtasks.exe
		1520	schtasks.exe
		2912	schtasks.exe
		2444	schtasks.exe
		2928	schtasks.exe
		1760	schtasks.exe
		1272	schtasks.exe
		1548	schtasks.exe
		436	schtasks.exe
		3068	schtasks.exe
		2624	schtasks.exe
		2060	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\cc11b995f2a76d		3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
		1400	schtasks.exe
		2204	schtasks.exe
		2764	schtasks.exe
		1712	schtasks.exe
		2356	schtasks.exe
		872	schtasks.exe
		1848	schtasks.exe
		1104	schtasks.exe
		2576	schtasks.exe
		1796	schtasks.exe
		2836	schtasks.exe
		2084	schtasks.exe
		2284	schtasks.exe
		980	schtasks.exe
		2856	schtasks.exe
		1556	schtasks.exe
		2536	schtasks.exe
		2496	schtasks.exe
		2904	schtasks.exe
		2492	schtasks.exe
		2848	schtasks.exe
		2980	schtasks.exe
		2280	schtasks.exe
		2556	schtasks.exe
		3048	schtasks.exe
		2520	schtasks.exe
		2616	schtasks.exe
		2200	schtasks.exe
		2992	schtasks.exe
		472	schtasks.exe
		1556	schtasks.exe
File created	C:\Program Files (x86)\Windows Media Player\b75386f1303e64		3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
		2148	schtasks.exe
		2592	schtasks.exe
		1300	schtasks.exe
		1832	schtasks.exe
		1852	schtasks.exe
		1352	schtasks.exe
		2016	schtasks.exe
		840	schtasks.exe
		1412	schtasks.exe
		2412	schtasks.exe
		2184	schtasks.exe
		808	schtasks.exe
		1860	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
		2528	schtasks.exe
		2088	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2748	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2964-3-0x000000001B410000-0x000000001B53E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2476	powershell.exe
560	powershell.exe
2584	powershell.exe
2392	powershell.exe
1688	powershell.exe
776	powershell.exe
748	powershell.exe
848	powershell.exe
2384	powershell.exe
592	powershell.exe
1420	powershell.exe
1416	powershell.exe
2936	powershell.exe
2068	powershell.exe
328	powershell.exe
2728	powershell.exe
1960	powershell.exe
1928	powershell.exe
1612	powershell.exe
1340	powershell.exe
2240	powershell.exe
368	powershell.exe
2124	powershell.exe
2460	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2576	Idle.exe
2992	Idle.exe
1324	Idle.exe
2688	Idle.exe
2712	Idle.exe
1200	Idle.exe
1128	Idle.exe
2612	Idle.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\sr-Latn-CS\dwm.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\System32\sr-Latn-CS\6cb0b6c459d5d3	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Windows\System32\sr-Latn-CS\dwm.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\taskhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Defender\lsm.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Defender\101b941d020240	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\088424020bedd6	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\69ddcba757bf72	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\e978f868350d50	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\088424020bedd6	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\6ccacd8608530f	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\cc11b995f2a76d	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Media Player\taskhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Windows Media Player\b75386f1303e64	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCX6460.tmp	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX69CF.tmp	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lsm.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\AppPatch\088424020bedd6	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\powershell.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\Performance\WinSAT\DataStore\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\Performance\WinSAT\DataStore\088424020bedd6	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\powershell.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\e978f868350d50	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Windows\Media\Landscape\taskhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\Media\Landscape\taskhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\Media\Landscape\b75386f1303e64	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File created	C:\Windows\Speech\Engines\SR\es-ES\smss.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Windows\AppPatch\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\conhost.exe	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2444	schtasks.exe
1760	schtasks.exe
2592	schtasks.exe
2556	schtasks.exe
1548	schtasks.exe
2204	schtasks.exe
2284	schtasks.exe
2088	schtasks.exe
2836	schtasks.exe
3068	schtasks.exe
2148	schtasks.exe
2156	schtasks.exe
1400	schtasks.exe
2992	schtasks.exe
1520	schtasks.exe
1128	schtasks.exe
1272	schtasks.exe
2848	schtasks.exe
2356	schtasks.exe
1860	schtasks.exe
316	schtasks.exe
2472	schtasks.exe
1104	schtasks.exe
2576	schtasks.exe
2904	schtasks.exe
980	schtasks.exe
2856	schtasks.exe
2412	schtasks.exe
1712	schtasks.exe
1852	schtasks.exe
2448	schtasks.exe
2016	schtasks.exe
808	schtasks.exe
2340	schtasks.exe
2980	schtasks.exe
2280	schtasks.exe
2520	schtasks.exe
872	schtasks.exe
2624	schtasks.exe
1300	schtasks.exe
2528	schtasks.exe
472	schtasks.exe
2536	schtasks.exe
1556	schtasks.exe
436	schtasks.exe
2084	schtasks.exe
1796	schtasks.exe
2200	schtasks.exe
840	schtasks.exe
2528	schtasks.exe
2764	schtasks.exe
1352	schtasks.exe
2912	schtasks.exe
2928	schtasks.exe
2824	schtasks.exe
884	schtasks.exe
2672	schtasks.exe
2492	schtasks.exe
1300	schtasks.exe
2184	schtasks.exe
1832	schtasks.exe
2616	schtasks.exe
1412	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
368	powershell.exe
1340	powershell.exe
1420	powershell.exe
848	powershell.exe
2392	powershell.exe
328	powershell.exe
1688	powershell.exe
748	powershell.exe
2384	powershell.exe
592	powershell.exe
776	powershell.exe
2240	powershell.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2576	Idle.exe
Token: SeDebugPrivilege	2992	Idle.exe
Token: SeDebugPrivilege	1324	Idle.exe
Token: SeDebugPrivilege	2688	Idle.exe
Token: SeDebugPrivilege	2712	Idle.exe
Token: SeDebugPrivilege	1200	Idle.exe
Token: SeDebugPrivilege	1128	Idle.exe
Token: SeDebugPrivilege	2612	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1340	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	43
PID 2964 wrote to memory of 1340	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	43
PID 2964 wrote to memory of 1340	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	43
PID 2964 wrote to memory of 2240	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	44
PID 2964 wrote to memory of 2240	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	44
PID 2964 wrote to memory of 2240	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	44
PID 2964 wrote to memory of 368	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	46
PID 2964 wrote to memory of 368	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	46
PID 2964 wrote to memory of 368	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	46
PID 2964 wrote to memory of 2384	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	47
PID 2964 wrote to memory of 2384	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	47
PID 2964 wrote to memory of 2384	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	47
PID 2964 wrote to memory of 2392	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	48
PID 2964 wrote to memory of 2392	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	48
PID 2964 wrote to memory of 2392	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	48
PID 2964 wrote to memory of 1688	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	50
PID 2964 wrote to memory of 1688	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	50
PID 2964 wrote to memory of 1688	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	50
PID 2964 wrote to memory of 848	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	51
PID 2964 wrote to memory of 848	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	51
PID 2964 wrote to memory of 848	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	51
PID 2964 wrote to memory of 1420	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	53
PID 2964 wrote to memory of 1420	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	53
PID 2964 wrote to memory of 1420	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	53
PID 2964 wrote to memory of 748	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	54
PID 2964 wrote to memory of 748	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	54
PID 2964 wrote to memory of 748	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	54
PID 2964 wrote to memory of 328	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	56
PID 2964 wrote to memory of 328	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	56
PID 2964 wrote to memory of 328	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	56
PID 2964 wrote to memory of 776	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	57
PID 2964 wrote to memory of 776	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	57
PID 2964 wrote to memory of 776	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	57
PID 2964 wrote to memory of 592	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	58
PID 2964 wrote to memory of 592	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	58
PID 2964 wrote to memory of 592	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	58
PID 2964 wrote to memory of 2864	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	67
PID 2964 wrote to memory of 2864	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	67
PID 2964 wrote to memory of 2864	2964	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	67
PID 2864 wrote to memory of 2728	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	125
PID 2864 wrote to memory of 2728	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	125
PID 2864 wrote to memory of 2728	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	125
PID 2864 wrote to memory of 2124	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	126
PID 2864 wrote to memory of 2124	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	126
PID 2864 wrote to memory of 2124	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	126
PID 2864 wrote to memory of 1928	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	127
PID 2864 wrote to memory of 1928	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	127
PID 2864 wrote to memory of 1928	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	127
PID 2864 wrote to memory of 2476	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	128
PID 2864 wrote to memory of 2476	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	128
PID 2864 wrote to memory of 2476	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	128
PID 2864 wrote to memory of 1416	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	129
PID 2864 wrote to memory of 1416	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	129
PID 2864 wrote to memory of 1416	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	129
PID 2864 wrote to memory of 1960	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	131
PID 2864 wrote to memory of 1960	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	131
PID 2864 wrote to memory of 1960	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	131
PID 2864 wrote to memory of 2936	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	136
PID 2864 wrote to memory of 2936	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	136
PID 2864 wrote to memory of 2936	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	136
PID 2864 wrote to memory of 2068	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	137
PID 2864 wrote to memory of 2068	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	137
PID 2864 wrote to memory of 2068	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	137
PID 2864 wrote to memory of 2460	2864	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe	138

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
"C:\Users\Admin\AppData\Local\Temp\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Users\Admin\AppData\Local\Temp\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe
  "C:\Users\Admin\AppData\Local\Temp\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C1Oybx2WeE.bat"
    3⤵
    PID:2052
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
      "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39220ea6-7c2a-4f96-b8e1-5699829e7468.vbs"
        5⤵
        
        PID:2736
      - C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6612219d-75ba-494d-b5ad-aa287ecee43d.vbs"
        7⤵
        
        PID:1048
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a9a5cb8-ceb4-48ef-8dbf-1a232849129b.vbs"
        9⤵
        
        PID:2280
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7676f658-14cf-453d-a355-9cb0d84b8610.vbs"
        11⤵
        
        PID:236
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2345e43-0ad8-4df2-a247-5b2e8b586b71.vbs"
        13⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b12d7118-ad57-4daa-9a91-e6dbe8d0473c.vbs"
        15⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5845384a-3e39-4f20-820a-ba6ae5fdab5b.vbs"
        17⤵
        
        PID:1964
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb18b772-66d5-4216-8a54-dd1e54972633.vbs"
        19⤵
        
        PID:1224
        
        C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe"
        20⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6706bc4d-4b85-41fe-a313-5dde4550cba8.vbs"
        19⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a99016a1-bc75-418a-970d-a9961857c184.vbs"
        17⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cfa4125-fc11-45fa-aaf3-bd3bbf6ff586.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\518b4cca-84bb-409d-ad19-30f9771bec7e.vbs"
        13⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99593ce9-8596-4f43-afa1-80946be79229.vbs"
        11⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01cd3cb-cdf0-4660-8037-f550bfcfcc36.vbs"
        9⤵
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c18f1a7-8d2c-4ff1-a089-b34b7a504449.vbs"
        7⤵
        
        PID:852
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9bf2d50-0d3a-42de-9715-0e743ce08062.vbs"
        5⤵
        
        PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b59213" /sc MINUTE /mo 12 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b59213" /sc MINUTE /mo 5 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Landscape\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Landscape\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\sr-Latn-CS\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\sr-Latn-CS\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\sr-Latn-CS\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\DESIGNER\Idle.exe

Filesize
246KB

MD5
7051c18c100cbece0fa1c3a697af91ac

SHA1
60a02586d78653a8b1911d23d466e76fd845cd17

SHA256
4af33cf101c40a94566e17b3075d4bffbbb8cfd210caa38458ffe5c6ebaeaa00

SHA512
a4f8cfc7c81bf49e11c5f4c0b9983bca1a9d020f2fa64e9a38f028e83e1b224f14c6f3fdeb126d855c4e8a853f9edea9445fc40ea821a43e91979458bd21f5cf

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe

Filesize
4.9MB

MD5
1911b6311a270c552cb6e21487fe3b96

SHA1
5e7c973851b8c3be5e977862d644c5bf02694b3a

SHA256
3fec6b384d5a5f3a650eb1b651c4842bd93b01b2cf1b086b2b1e3d7cf97b5921

SHA512
7f8c341832fd3df6ed728c0bdad196179e8af1a10950b4d9105620bfcea1fb3280a034c9742eeca1ec9c81bbe44e264799629e7033397d0001bda08f642fda03

Download Submit
C:\Users\Admin\AppData\Local\Temp\39220ea6-7c2a-4f96-b8e1-5699829e7468.vbs

Filesize
729B

MD5
862088b62f89af980e04726482db1841

SHA1
eebc790144e786321bceea97aec7356f7c26fab3

SHA256
d9d86afa637babe0ff6f20ed463b2e211b1d864847a9ece38a5ddbc5e19d37db

SHA512
b80340f9f5fa6ea20a4b1f61f21a530df3a6d5de61b1bc3579f00bbc4ce1c08d43fb2cb1a5efde20ead7b29e612149638b4ee23c50c8627e56d7167fbd17de7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5845384a-3e39-4f20-820a-ba6ae5fdab5b.vbs

Filesize
729B

MD5
3fcfdde9a47c587a535fdfe788729b45

SHA1
be6cff7e56d42e2d2a908aa2ec9c5dfd0890ecb7

SHA256
54080d9f64ddbb8755892a9dab54599c748c33d897cd14ac1394c8d21a87f9ff

SHA512
ca34182a938c808f4aaa5b6f9e992493587d3543c40fa8b6ac16d9f3669270c246d74ae14e644e63e0816ab20031a8146fe78be03057665a3764b740d1448c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a9a5cb8-ceb4-48ef-8dbf-1a232849129b.vbs

Filesize
729B

MD5
097055c7e78f66e15374c5d6828dfaef

SHA1
2440f47f2d7652c50c3869ceb7b2568ac7c951f0

SHA256
620e86c493cb026020885fccf92c853486c6d9340037ee27a83885a02426d11d

SHA512
ef8d72b2d35608d55dd1fadf3cae27bab5cf976c9ce4dcf9a66596feed5f12fefd7ef312ea430488ab54aef2aa15b31ebd9caf36fde9684443efcead182c49c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6612219d-75ba-494d-b5ad-aa287ecee43d.vbs

Filesize
729B

MD5
c1b4ca2d0ec257cdc58c3f0bd0676dee

SHA1
119f31467b65716aef3d4bd8c6b7d436f054f16a

SHA256
7cdba6989e75aaa584a673cbb69661cd020d55e66ed4b9eff410bc0d8c9e22a2

SHA512
5ec6d90cf86b4c723b8a432ce411e50e4587f2634377eb622d158ea61f13265f98c9c1fa8b9d10149a4e122aa0699246ef43cc2defddb1257c9bf0d6b56d0e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7676f658-14cf-453d-a355-9cb0d84b8610.vbs

Filesize
729B

MD5
d0cf6be2a51cca8ae4936fa4cf3a1e1d

SHA1
e73bbe397261e642c9772107e50e2a63f1455015

SHA256
c35c7a608e98606ae630ce4c0af88d76f3b093286def89e9d61f019643cd4f5d

SHA512
ad5a15b135d187137e555da671e292143df32e4b0e3184914bd68819e868c9d3e485a07b934cf777eceb94a1a85f8db99039e3f77794f7fa579fd617a847b706

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1Oybx2WeE.bat

Filesize
218B

MD5
b0a0b206caf7c9b4dbadb33a436adc86

SHA1
ae1f7b357865685570a9b474e9ad58fdd81b7297

SHA256
dd060291e33f1323591e5f935ff3d76c5bcfe878c9efc2bd610d5d5360e9b383

SHA512
f471dd12401d04f0aa94677e326f70b443b24ba8d6ab993e3f141f33a3ecb21c5bda0a163ace52f0dbea68aea448d87eea46e34f70e842ff84ff55b13d6adf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2345e43-0ad8-4df2-a247-5b2e8b586b71.vbs

Filesize
729B

MD5
83a7b7de3ac65ca9839b26ed30a73555

SHA1
6de7b651c064480510143b3dd283e8b7d4237a41

SHA256
a20d99dd74743471acbd510384598587ea6987a46fdee4933389c0a314848f96

SHA512
956a5b843b42762c563a2dcd55ddc5a353f8abd6c3fefdca18d79df3fb38593008e0ee9c70f8ee0f4854ad40a336333527303f10dbb67893255a0d64085f807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9bf2d50-0d3a-42de-9715-0e743ce08062.vbs

Filesize
505B

MD5
1fa31a6848b3a6b8c078ead24cf6692c

SHA1
b4d58042cf7197ceccf5af037fdcdfe19bb4cc2f

SHA256
c852d6c980320accee981437942a37f538d5c1a4ad5965686e3424bc9e2f4348

SHA512
9e4fc87e0d64b8ff457ecdfbd58c537ac802f582525a785d34523d08c3a1d2892860fb54bb278de5d0d7f32fc84e19c828165d02659028876ad363abbcf2290f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b12d7118-ad57-4daa-9a91-e6dbe8d0473c.vbs

Filesize
729B

MD5
97aea03f0353660c0e28cf380ed706fd

SHA1
caba682868d335fd172005a7ededbc7acda31761

SHA256
bc0aa37ddeb283eaf86220a391774485dd31df80e29927dcfbc9b6486c7d785e

SHA512
d27421402f1288c2e9a38f8ab582d6f02e33d582f55455508c7fd210fb91701921afb35649c9d7095f6d653399c3fd005c372c5ceaae30c460880bd4be1c78a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb18b772-66d5-4216-8a54-dd1e54972633.vbs

Filesize
729B

MD5
a025f3b69f102922ec8070595b35bc17

SHA1
2368cce307152a9a436568fe1599480efc781f03

SHA256
e1813f3bbefd248c196bfe8a8bd8a7e629eb3774813ca585375703ef66298dca

SHA512
89a194e6b3429f2a2811cfcd0fe9ff8396eb944f35279c315e8319290ea84077474c7ffd1a84e35baec2190fe5c15724a23b7066e36c34ce240b7daf2800fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
89c58b25b0813742369f9a3c68af25b5

SHA1
08de16987f2069e3a765ade42fb64adf1ae9bb68

SHA256
253dd1ce3e7c35434ae6833023cd5047fa1fae12ca31f8e264353b2f24fdf29f

SHA512
221aff36154fb7de189b71ad45cdb5f932edb6550be1b9a44cd3e4430bfcc6b14b68a4a240ad74ebb60ee9e576bd7bdcb7f31a1f1ae4925686a1a63959e98943

Download Submit
memory/368-69-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/1200-340-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/1340-68-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-243-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2576-268-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2712-325-0x0000000000110000-0x0000000000604000-memory.dmp

Filesize
5.0MB

Download
memory/2728-222-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2964-10-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2964-0-0x000007FEF4F43000-0x000007FEF4F44000-memory.dmp

Filesize
4KB

Download
memory/2964-16-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/2964-15-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2964-14-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2964-13-0x0000000002760000-0x000000000276E000-memory.dmp

Filesize
56KB

Download
memory/2964-12-0x0000000002750000-0x000000000275E000-memory.dmp

Filesize
56KB

Download
memory/2964-11-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/2964-1-0x0000000000BF0000-0x00000000010E4000-memory.dmp

Filesize
5.0MB

Download
memory/2964-71-0x000007FEF4F40000-0x000007FEF592C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-9-0x00000000026A0000-0x00000000026AA000-memory.dmp

Filesize
40KB

Download
memory/2964-8-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2964-7-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2964-6-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2964-5-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2964-4-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2964-3-0x000000001B410000-0x000000001B53E000-memory.dmp

Filesize
1.2MB

Download
memory/2964-2-0x000007FEF4F40000-0x000007FEF592C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-282-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download