dcrat | 0c0b4ee3d14fa4db0bc8268ed908480dd3b977fa3c98bcb930a52fc2839d35b4

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31970365cad3425aa523a7815d695f3c.exe
Size

1.2MB
MD5

31970365cad3425aa523a7815d695f3c
SHA1

1c6196284ec2666000bda7c091cda224fad77473
SHA256

0c0b4ee3d14fa4db0bc8268ed908480dd3b977fa3c98bcb930a52fc2839d35b4
SHA512

7e95cf8c6ac59ab53c8cdaca6fab41ff7c968afa692f88b2bb90966db9eb1682ac969043d1fea6db876b7df3665dfc522b736257db798e574b2344626c0bde49
SSDEEP

24576:LJlmUJyTmqFOGfeRIvZ6+adOSMZgrWoIaWrcX:evU+a/rSro

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1720	schtasks.exe
		2200	schtasks.exe
		2600	schtasks.exe
		2596	schtasks.exe
		2036	schtasks.exe
		1536	schtasks.exe
		1308	schtasks.exe
		1120	schtasks.exe
File created	C:\Windows\Tasks\886983d96e3d3e		31970365cad3425aa523a7815d695f3c.exe
		376	schtasks.exe
		2012	schtasks.exe
		1632	schtasks.exe
		2468	schtasks.exe
		1196	schtasks.exe
		2188	schtasks.exe
		484	schtasks.exe
		2800	schtasks.exe
		800	schtasks.exe
		2240	schtasks.exe
		1012	schtasks.exe
		1484	schtasks.exe
		1880	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		31970365cad3425aa523a7815d695f3c.exe
		2956	schtasks.exe
		2916	schtasks.exe
		2788	schtasks.exe
		2376	schtasks.exe
		3016	schtasks.exe
		1808	schtasks.exe
		960	schtasks.exe
		2236	schtasks.exe
		2368	schtasks.exe
		2720	schtasks.exe
		1548	schtasks.exe
		2760	schtasks.exe
		2836	schtasks.exe
		2040	schtasks.exe
		1836	schtasks.exe
		2296	schtasks.exe
		2504	schtasks.exe
		2712	schtasks.exe
		484	schtasks.exe
		1648	schtasks.exe
		2568	schtasks.exe
		2420	schtasks.exe
		2596	schtasks.exe
		2756	schtasks.exe
		2688	schtasks.exe
		2076	schtasks.exe
		2576	schtasks.exe
		1176	schtasks.exe
		2108	schtasks.exe
		2024	schtasks.exe
		2868	schtasks.exe
		1348	schtasks.exe
		1620	schtasks.exe
		2568	schtasks.exe
		2616	schtasks.exe
		2748	schtasks.exe
		1544	schtasks.exe
		2212	schtasks.exe
		2636	schtasks.exe
		2976	schtasks.exe
		1560	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 22 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\7-Zip\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\7-Zip\\powershell.exe\", \"C:\\Program Files\\Common Files\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\7-Zip\\powershell.exe\", \"C:\\Program Files\\Common Files\\conhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\lsm.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\", \"C:\\Program Files\\7-Zip\\powershell.exe\", \"C:\\Program Files\\Common Files\\conhost.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\lsm.exe\", \"C:\\Windows\\DigitalLocker\\fr-FR\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Tasks\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\Tasks\\powershell.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2328	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2328	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2536-1-0x0000000000890000-0x00000000009C2000-memory.dmp	dcrat
behavioral1/files/0x0005000000018784-22.dat	dcrat
behavioral1/memory/2364-250-0x0000000000CE0000-0x0000000000E12000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1460	powershell.exe
1496	powershell.exe
1588	powershell.exe
1600	powershell.exe
2172	powershell.exe
2308	powershell.exe
1052	powershell.exe
324	powershell.exe
2376	powershell.exe
1892	powershell.exe
988	powershell.exe
2608	powershell.exe
2100	powershell.exe
1784	powershell.exe
1804	powershell.exe
1828	powershell.exe
1396	powershell.exe
800	powershell.exe
2880	powershell.exe
1788	powershell.exe
2996	powershell.exe
2428	powershell.exe
3004	powershell.exe
1424	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	31970365cad3425aa523a7815d695f3c.exe
2364	System.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Common Files\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Common Files\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\DigitalLocker\\fr-FR\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\Tasks\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\lsass.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\7-Zip\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\7-Zip\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\it\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\lsm.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\WmiPrvSE.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\Tasks\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Web\\Wallpaper\\Scenes\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\lsm.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\DigitalLocker\\fr-FR\\powershell.exe\""	31970365cad3425aa523a7815d695f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Tasks\\csrss.exe\""	31970365cad3425aa523a7815d695f3c.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\24dbde2999530e	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\7-Zip\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXC0E1.tmp	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\Common Files\conhost.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXC2E5.tmp	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\7-Zip\e978f868350d50	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXCDD2.tmp	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files\7-Zip\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\Common Files\088424020bedd6	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\101b941d020240	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\e978f868350d50	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\886983d96e3d3e	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\WmiPrvSE.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\e978f868350d50	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCXCFD6.tmp	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\6203df4a6bafc7	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\WmiPrvSE.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Program Files\Common Files\conhost.exe	31970365cad3425aa523a7815d695f3c.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCXD1DA.tmp	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Tasks\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\fr-FR\conhost.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\fr-FR\088424020bedd6	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Web\Wallpaper\Scenes\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\DigitalLocker\fr-FR\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Tasks\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Web\Wallpaper\Scenes\886983d96e3d3e	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Tasks\e978f868350d50	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\fr-FR\conhost.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\Tasks\csrss.exe	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\Tasks\RCXBEDD.tmp	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\Tasks\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\DigitalLocker\fr-FR\e978f868350d50	31970365cad3425aa523a7815d695f3c.exe
File opened for modification	C:\Windows\DigitalLocker\fr-FR\powershell.exe	31970365cad3425aa523a7815d695f3c.exe
File created	C:\Windows\Tasks\886983d96e3d3e	31970365cad3425aa523a7815d695f3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
1176	schtasks.exe
3016	schtasks.exe
992	schtasks.exe
1548	schtasks.exe
2240	schtasks.exe
2024	schtasks.exe
1976	schtasks.exe
2800	schtasks.exe
2720	schtasks.exe
2600	schtasks.exe
1648	schtasks.exe
2040	schtasks.exe
2956	schtasks.exe
1120	schtasks.exe
2036	schtasks.exe
2976	schtasks.exe
2076	schtasks.exe
2296	schtasks.exe
800	schtasks.exe
1544	schtasks.exe
1880	schtasks.exe
2188	schtasks.exe
2576	schtasks.exe
2712	schtasks.exe
2596	schtasks.exe
2120	schtasks.exe
2916	schtasks.exe
1836	schtasks.exe
1012	schtasks.exe
2212	schtasks.exe
1196	schtasks.exe
484	schtasks.exe
376	schtasks.exe
2012	schtasks.exe
2568	schtasks.exe
2760	schtasks.exe
1808	schtasks.exe
2788	schtasks.exe
2868	schtasks.exe
2756	schtasks.exe
1560	schtasks.exe
1348	schtasks.exe
1632	schtasks.exe
2236	schtasks.exe
2616	schtasks.exe
2596	schtasks.exe
2568	schtasks.exe
1620	schtasks.exe
2200	schtasks.exe
1308	schtasks.exe
1536	schtasks.exe
2420	schtasks.exe
2368	schtasks.exe
2688	schtasks.exe
2468	schtasks.exe
1484	schtasks.exe
2504	schtasks.exe
960	schtasks.exe
2108	schtasks.exe
1720	schtasks.exe
2836	schtasks.exe
2636	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	31970365cad3425aa523a7815d695f3c.exe
1460	powershell.exe
1788	powershell.exe
2100	powershell.exe
1784	powershell.exe
1828	powershell.exe
988	powershell.exe
1804	powershell.exe
1052	powershell.exe
1600	powershell.exe
1892	powershell.exe
2376	powershell.exe
324	powershell.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2740	31970365cad3425aa523a7815d695f3c.exe
2996	powershell.exe
3004	powershell.exe
1496	powershell.exe
800	powershell.exe
1424	powershell.exe
2308	powershell.exe
2880	powershell.exe
1588	powershell.exe
1396	powershell.exe
2608	powershell.exe
2172	powershell.exe
2428	powershell.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe
2364	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	System.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	31970365cad3425aa523a7815d695f3c.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2740	31970365cad3425aa523a7815d695f3c.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2364	System.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2100	2536	31970365cad3425aa523a7815d695f3c.exe	65
PID 2536 wrote to memory of 2100	2536	31970365cad3425aa523a7815d695f3c.exe	65
PID 2536 wrote to memory of 2100	2536	31970365cad3425aa523a7815d695f3c.exe	65
PID 2536 wrote to memory of 1052	2536	31970365cad3425aa523a7815d695f3c.exe	66
PID 2536 wrote to memory of 1052	2536	31970365cad3425aa523a7815d695f3c.exe	66
PID 2536 wrote to memory of 1052	2536	31970365cad3425aa523a7815d695f3c.exe	66
PID 2536 wrote to memory of 1460	2536	31970365cad3425aa523a7815d695f3c.exe	67
PID 2536 wrote to memory of 1460	2536	31970365cad3425aa523a7815d695f3c.exe	67
PID 2536 wrote to memory of 1460	2536	31970365cad3425aa523a7815d695f3c.exe	67
PID 2536 wrote to memory of 324	2536	31970365cad3425aa523a7815d695f3c.exe	68
PID 2536 wrote to memory of 324	2536	31970365cad3425aa523a7815d695f3c.exe	68
PID 2536 wrote to memory of 324	2536	31970365cad3425aa523a7815d695f3c.exe	68
PID 2536 wrote to memory of 1600	2536	31970365cad3425aa523a7815d695f3c.exe	73
PID 2536 wrote to memory of 1600	2536	31970365cad3425aa523a7815d695f3c.exe	73
PID 2536 wrote to memory of 1600	2536	31970365cad3425aa523a7815d695f3c.exe	73
PID 2536 wrote to memory of 988	2536	31970365cad3425aa523a7815d695f3c.exe	74
PID 2536 wrote to memory of 988	2536	31970365cad3425aa523a7815d695f3c.exe	74
PID 2536 wrote to memory of 988	2536	31970365cad3425aa523a7815d695f3c.exe	74
PID 2536 wrote to memory of 1828	2536	31970365cad3425aa523a7815d695f3c.exe	75
PID 2536 wrote to memory of 1828	2536	31970365cad3425aa523a7815d695f3c.exe	75
PID 2536 wrote to memory of 1828	2536	31970365cad3425aa523a7815d695f3c.exe	75
PID 2536 wrote to memory of 1804	2536	31970365cad3425aa523a7815d695f3c.exe	76
PID 2536 wrote to memory of 1804	2536	31970365cad3425aa523a7815d695f3c.exe	76
PID 2536 wrote to memory of 1804	2536	31970365cad3425aa523a7815d695f3c.exe	76
PID 2536 wrote to memory of 1892	2536	31970365cad3425aa523a7815d695f3c.exe	77
PID 2536 wrote to memory of 1892	2536	31970365cad3425aa523a7815d695f3c.exe	77
PID 2536 wrote to memory of 1892	2536	31970365cad3425aa523a7815d695f3c.exe	77
PID 2536 wrote to memory of 1788	2536	31970365cad3425aa523a7815d695f3c.exe	78
PID 2536 wrote to memory of 1788	2536	31970365cad3425aa523a7815d695f3c.exe	78
PID 2536 wrote to memory of 1788	2536	31970365cad3425aa523a7815d695f3c.exe	78
PID 2536 wrote to memory of 1784	2536	31970365cad3425aa523a7815d695f3c.exe	79
PID 2536 wrote to memory of 1784	2536	31970365cad3425aa523a7815d695f3c.exe	79
PID 2536 wrote to memory of 1784	2536	31970365cad3425aa523a7815d695f3c.exe	79
PID 2536 wrote to memory of 2376	2536	31970365cad3425aa523a7815d695f3c.exe	80
PID 2536 wrote to memory of 2376	2536	31970365cad3425aa523a7815d695f3c.exe	80
PID 2536 wrote to memory of 2376	2536	31970365cad3425aa523a7815d695f3c.exe	80
PID 2536 wrote to memory of 2740	2536	31970365cad3425aa523a7815d695f3c.exe	89
PID 2536 wrote to memory of 2740	2536	31970365cad3425aa523a7815d695f3c.exe	89
PID 2536 wrote to memory of 2740	2536	31970365cad3425aa523a7815d695f3c.exe	89
PID 2740 wrote to memory of 2996	2740	31970365cad3425aa523a7815d695f3c.exe	123
PID 2740 wrote to memory of 2996	2740	31970365cad3425aa523a7815d695f3c.exe	123
PID 2740 wrote to memory of 2996	2740	31970365cad3425aa523a7815d695f3c.exe	123
PID 2740 wrote to memory of 2172	2740	31970365cad3425aa523a7815d695f3c.exe	124
PID 2740 wrote to memory of 2172	2740	31970365cad3425aa523a7815d695f3c.exe	124
PID 2740 wrote to memory of 2172	2740	31970365cad3425aa523a7815d695f3c.exe	124
PID 2740 wrote to memory of 3004	2740	31970365cad3425aa523a7815d695f3c.exe	125
PID 2740 wrote to memory of 3004	2740	31970365cad3425aa523a7815d695f3c.exe	125
PID 2740 wrote to memory of 3004	2740	31970365cad3425aa523a7815d695f3c.exe	125
PID 2740 wrote to memory of 1588	2740	31970365cad3425aa523a7815d695f3c.exe	126
PID 2740 wrote to memory of 1588	2740	31970365cad3425aa523a7815d695f3c.exe	126
PID 2740 wrote to memory of 1588	2740	31970365cad3425aa523a7815d695f3c.exe	126
PID 2740 wrote to memory of 2428	2740	31970365cad3425aa523a7815d695f3c.exe	129
PID 2740 wrote to memory of 2428	2740	31970365cad3425aa523a7815d695f3c.exe	129
PID 2740 wrote to memory of 2428	2740	31970365cad3425aa523a7815d695f3c.exe	129
PID 2740 wrote to memory of 1496	2740	31970365cad3425aa523a7815d695f3c.exe	131
PID 2740 wrote to memory of 1496	2740	31970365cad3425aa523a7815d695f3c.exe	131
PID 2740 wrote to memory of 1496	2740	31970365cad3425aa523a7815d695f3c.exe	131
PID 2740 wrote to memory of 2308	2740	31970365cad3425aa523a7815d695f3c.exe	132
PID 2740 wrote to memory of 2308	2740	31970365cad3425aa523a7815d695f3c.exe	132
PID 2740 wrote to memory of 2308	2740	31970365cad3425aa523a7815d695f3c.exe	132
PID 2740 wrote to memory of 1396	2740	31970365cad3425aa523a7815d695f3c.exe	133
PID 2740 wrote to memory of 1396	2740	31970365cad3425aa523a7815d695f3c.exe	133
PID 2740 wrote to memory of 1396	2740	31970365cad3425aa523a7815d695f3c.exe	133
PID 2740 wrote to memory of 2880	2740	31970365cad3425aa523a7815d695f3c.exe	134

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31970365cad3425aa523a7815d695f3c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31970365cad3425aa523a7815d695f3c.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\31970365cad3425aa523a7815d695f3c.exe
"C:\Users\Admin\AppData\Local\Temp\31970365cad3425aa523a7815d695f3c.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\31970365cad3425aa523a7815d695f3c.exe
  "C:\Users\Admin\AppData\Local\Temp\31970365cad3425aa523a7815d695f3c.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Scenes\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Tasks\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\fr-FR\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\fr-FR\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
532c67b83ffb5da1d5a0f51871eb58fd

SHA1
7eb95ea505672163c92ae62caf0b2494cea924dd

SHA256
177c0786fe4fe3fb506df369132e749beb4d8b60b9e5d1963df234fd72e6fbf2

SHA512
ef2d0ce19a3e69825dae250d6e93727a075415e6d5dd550ab1cb3df1ebb6c3dc3c99987a56d7e4487e85e9aa33bcedebe0cd27901b01df20ef1730291276dcb6

Download Submit
C:\Users\Default\audiodg.exe

Filesize
1.2MB

MD5
31970365cad3425aa523a7815d695f3c

SHA1
1c6196284ec2666000bda7c091cda224fad77473

SHA256
0c0b4ee3d14fa4db0bc8268ed908480dd3b977fa3c98bcb930a52fc2839d35b4

SHA512
7e95cf8c6ac59ab53c8cdaca6fab41ff7c968afa692f88b2bb90966db9eb1682ac969043d1fea6db876b7df3665dfc522b736257db798e574b2344626c0bde49

Download Submit
memory/1460-174-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/1788-138-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2364-250-0x0000000000CE0000-0x0000000000E12000-memory.dmp

Filesize
1.2MB

Download
memory/2536-12-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2536-5-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2536-9-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2536-8-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2536-10-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2536-11-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2536-0-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

Filesize
4KB

Download
memory/2536-13-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2536-6-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2536-7-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2536-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2536-3-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/2536-175-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

Filesize
4KB

Download
memory/2536-176-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2536-2-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2536-1-0x0000000000890000-0x00000000009C2000-memory.dmp

Filesize
1.2MB

Download
memory/2996-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2996-227-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download