dcrat | ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0

Analysis

max time kernel
18s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Size

1.6MB
MD5

8ce0a9103ab10fed54094a3a2d1146e0
SHA1

4aef0ddaa8d065170c0ff2cc099c31aa6b1085aa
SHA256

ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0
SHA512

cf0adcb740f1eec83e6477bc487cf3a0d152222e08f186b78a674e0e9178b591e7088c5a2d2763dbd6eed55e3eef2bbdfaddf1791158e7dad7c891577f71e76f
SSDEEP

24576:NsoVH984fBm2iMbyrpEGwFQ0Gm3eQk31V6hK5r898Qs:NAtJeGwkm3eQk31rF8V

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 61 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2884	schtasks.exe
		2404	schtasks.exe
		540	schtasks.exe
		300	schtasks.exe
		2888	schtasks.exe
		3024	schtasks.exe
		856	schtasks.exe
		292	schtasks.exe
		3040	schtasks.exe
		1280	schtasks.exe
		2472	schtasks.exe
		872	schtasks.exe
		2608	schtasks.exe
		492	schtasks.exe
		1540	schtasks.exe
		2164	schtasks.exe
		2764	schtasks.exe
		284	schtasks.exe
		2944	schtasks.exe
		2628	schtasks.exe
		2144	schtasks.exe
		2580	schtasks.exe
		2440	schtasks.exe
		552	schtasks.exe
		2688	schtasks.exe
		972	schtasks.exe
		1336	schtasks.exe
		2988	schtasks.exe
		2364	schtasks.exe
		2044	schtasks.exe
		3064	schtasks.exe
		1560	schtasks.exe
		2536	schtasks.exe
		2832	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
		2628	schtasks.exe
		2064	schtasks.exe
		1596	schtasks.exe
		1492	schtasks.exe
		2744	schtasks.exe
		2036	schtasks.exe
		2692	schtasks.exe
		2820	schtasks.exe
		1956	schtasks.exe
		1716	schtasks.exe
		2908	schtasks.exe
		944	schtasks.exe
		1688	schtasks.exe
		1156	schtasks.exe
		2196	schtasks.exe
		2748	schtasks.exe
		2600	schtasks.exe
		2992	schtasks.exe
		2180	schtasks.exe
		2128	schtasks.exe
		948	schtasks.exe
		2244	schtasks.exe
		2768	schtasks.exe
		2592	schtasks.exe
		2892	schtasks.exe
		2864	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2700	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3068-1-0x0000000000150000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1472-27-0x0000000000940000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/files/0x000500000001939f-30.dat	dcrat
behavioral1/memory/2308-69-0x00000000003B0000-0x0000000000550000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2308	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\es-ES\6203df4a6bafc7	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\886983d96e3d3e	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Windows Defender\csrss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Windows Defender\886983d96e3d3e	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Windows Defender\b75386f1303e64	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Sidebar\es-ES\lsass.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Windows Defender\taskhost.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\6ccacd8608530f	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\AppPatch\es-ES\services.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\AppPatch\es-ES\c5b4cb5e9653cc	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\Idle.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2036	schtasks.exe
944	schtasks.exe
300	schtasks.exe
2992	schtasks.exe
2536	schtasks.exe
2944	schtasks.exe
2820	schtasks.exe
492	schtasks.exe
2908	schtasks.exe
2364	schtasks.exe
2888	schtasks.exe
1716	schtasks.exe
2128	schtasks.exe
2628	schtasks.exe
2600	schtasks.exe
3024	schtasks.exe
2440	schtasks.exe
2748	schtasks.exe
1492	schtasks.exe
2592	schtasks.exe
2832	schtasks.exe
1688	schtasks.exe
2864	schtasks.exe
2764	schtasks.exe
2144	schtasks.exe
2768	schtasks.exe
1956	schtasks.exe
2580	schtasks.exe
2472	schtasks.exe
2244	schtasks.exe
1596	schtasks.exe
2892	schtasks.exe
292	schtasks.exe
2404	schtasks.exe
2164	schtasks.exe
2608	schtasks.exe
856	schtasks.exe
2692	schtasks.exe
1560	schtasks.exe
948	schtasks.exe
2688	schtasks.exe
284	schtasks.exe
2180	schtasks.exe
3040	schtasks.exe
872	schtasks.exe
972	schtasks.exe
1336	schtasks.exe
2988	schtasks.exe
2064	schtasks.exe
2196	schtasks.exe
2884	schtasks.exe
2628	schtasks.exe
1156	schtasks.exe
1540	schtasks.exe
1280	schtasks.exe
552	schtasks.exe
3064	schtasks.exe
2744	schtasks.exe
2044	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3068	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
2308	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Token: SeDebugPrivilege	1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Token: SeDebugPrivilege	2308	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2224	3068	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	40
PID 3068 wrote to memory of 2224	3068	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	40
PID 3068 wrote to memory of 2224	3068	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	40
PID 2224 wrote to memory of 2024	2224	cmd.exe	42
PID 2224 wrote to memory of 2024	2224	cmd.exe	42
PID 2224 wrote to memory of 2024	2224	cmd.exe	42
PID 2224 wrote to memory of 1472	2224	cmd.exe	43
PID 2224 wrote to memory of 1472	2224	cmd.exe	43
PID 2224 wrote to memory of 1472	2224	cmd.exe	43
PID 1472 wrote to memory of 1924	1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	95
PID 1472 wrote to memory of 1924	1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	95
PID 1472 wrote to memory of 1924	1472	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	95
PID 1924 wrote to memory of 3032	1924	cmd.exe	97
PID 1924 wrote to memory of 3032	1924	cmd.exe	97
PID 1924 wrote to memory of 3032	1924	cmd.exe	97
PID 1924 wrote to memory of 2308	1924	cmd.exe	99
PID 1924 wrote to memory of 2308	1924	cmd.exe	99
PID 1924 wrote to memory of 2308	1924	cmd.exe	99

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
"C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1X4Oiktcx2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1472
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rM6uXVRCTF.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3032
    - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe

Filesize
1.6MB

MD5
8ce0a9103ab10fed54094a3a2d1146e0

SHA1
4aef0ddaa8d065170c0ff2cc099c31aa6b1085aa

SHA256
ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0

SHA512
cf0adcb740f1eec83e6477bc487cf3a0d152222e08f186b78a674e0e9178b591e7088c5a2d2763dbd6eed55e3eef2bbdfaddf1791158e7dad7c891577f71e76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1X4Oiktcx2.bat

Filesize
268B

MD5
13adb1dee93e8464e76a19ffccdd11fc

SHA1
094d23c97f1576be5ac5fcccd4221ce7b0b3431c

SHA256
69cfe54e52f7f5669a74ae841201d292a97e16754a48d1dec82bef22107c7246

SHA512
dd72382844010ef390f1d8988a106c14b6ebdff47da467a7c765028ac750c7f54b66ea4c04257419ee35960afe368fe480aea69bfd37ba281fe66acd2af80c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE053.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE085.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rM6uXVRCTF.bat

Filesize
225B

MD5
3a9dd2f0a39e58d22d0fcdefbe4807ca

SHA1
d6b5a5c1151ab780cda4bc791658e8a951e4416c

SHA256
f63471f83e5f457ae5ba6603bee314913dda506f96069ba809d33bff83930dc8

SHA512
148079f9e0f6ec80a44f01077b23ac6e2c2c11ff72f32c88583e2c42a05de8b9e8fa43ee25756314325d5cf5c388a207e5f38cb7be5f7b59e446954197f9685b

Download Submit
memory/1472-27-0x0000000000940000-0x0000000000AE0000-memory.dmp

Filesize
1.6MB

Download
memory/2308-70-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/2308-69-0x00000000003B0000-0x0000000000550000-memory.dmp

Filesize
1.6MB

Download
memory/3068-6-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/3068-25-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-10-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/3068-11-0x0000000000730000-0x000000000073E000-memory.dmp

Filesize
56KB

Download
memory/3068-12-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/3068-13-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/3068-14-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/3068-9-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/3068-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/3068-7-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/3068-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/3068-5-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/3068-3-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download
memory/3068-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-1-0x0000000000150000-0x00000000002F0000-memory.dmp

Filesize
1.6MB

Download