dcrat | 6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Size

2.6MB
MD5

0163b78fa3d6908eb367abed8f3e9e94
SHA1

240609d82a62a8017ad3d81ac4271cd7606b5573
SHA256

6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773
SHA512

f0258f74d10b9d1f3cfab6c36afe7e411b9c3cea7641529b5fc3e62706787c9685b6dfccf3fdde708102b43f517a734572da77407f9f4f1d94754fdec1554748
SSDEEP

49152:Z35SQwOGHHy3Gv6KelFCGDZPU542T5eYfn4jmnHwDKni5JsJ:ZpSQEHIKqFCGDZs54+5eYfnCMQ+i5Ja

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1700	schtasks.exe
		2980	schtasks.exe
		2320	schtasks.exe
		1676	schtasks.exe
		1844	schtasks.exe
		2692	schtasks.exe
		1492	schtasks.exe
File created	C:\Windows\ehome\wow\f3b6ecef712a24		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		1908	schtasks.exe
		1960	schtasks.exe
		2688	schtasks.exe
		2560	schtasks.exe
		1736	schtasks.exe
		2676	schtasks.exe
		2388	schtasks.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		1740	schtasks.exe
		2604	schtasks.exe
File created	C:\Windows\assembly\6203df4a6bafc7		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		1608	schtasks.exe
		2488	schtasks.exe
		1404	schtasks.exe
		2636	schtasks.exe
		1716	schtasks.exe
		1748	schtasks.exe
		2304	schtasks.exe
		2624	schtasks.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\56085415360792		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		1588	schtasks.exe
		860	schtasks.exe
		2924	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\101b941d020240		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		2612	schtasks.exe
		1616	schtasks.exe
		2544	schtasks.exe
		1772	schtasks.exe
		776	schtasks.exe
		1792	schtasks.exe
		1816	schtasks.exe
File created	C:\Windows\twain_32\886983d96e3d3e		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		2368	schtasks.exe
		2880	schtasks.exe
		2712	schtasks.exe
		824	schtasks.exe
		2896	schtasks.exe
		2824	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Mozilla Firefox\f3b6ecef712a24		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		2400	schtasks.exe
		2936	schtasks.exe
File created	C:\Windows\Media\Landscape\42af1c969fbb7b		6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
		2824	schtasks.exe
		924	schtasks.exe
		888	schtasks.exe
		2520	schtasks.exe
		2780	schtasks.exe
		1392	schtasks.exe
		2960	schtasks.exe
		1264	schtasks.exe
		1884	schtasks.exe
		1312	schtasks.exe
		2364	schtasks.exe
		1160	schtasks.exe
		2632	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2724	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2168-1-0x0000000000830000-0x0000000000AD8000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d63-27.dat	dcrat
behavioral1/files/0x000a000000016d3f-106.dat	dcrat
behavioral1/files/0x0009000000016d2e-117.dat	dcrat
behavioral1/files/0x0008000000016d63-126.dat	dcrat
behavioral1/files/0x000a000000017491-173.dat	dcrat
behavioral1/files/0x000b0000000192a9-227.dat	dcrat
behavioral1/memory/2544-290-0x00000000009C0000-0x0000000000C68000-memory.dmp	dcrat
behavioral1/memory/2440-343-0x00000000011B0000-0x0000000001458000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXD132.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD5A7.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\62a6f6c287429c	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXB3D7.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXB3D8.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXD887.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Mozilla Firefox\spoolsv.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6cb0b6c459d5d3	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXC15B.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXD131.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\System.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Java\jre7\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Mozilla Firefox\f3b6ecef712a24	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Mail\en-US\62a6f6c287429c	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\101b941d020240	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXDA8C.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Mail\en-US\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Java\jre7\101b941d020240	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Mozilla Firefox\spoolsv.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD616.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\101b941d020240	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\wininit.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\56085415360792	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\wininit.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXDA8B.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Microsoft.NET\System.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files\Java\jre7\lsm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXD888.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\smss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXC15A.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Media\Landscape\audiodg.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\Media\Landscape\42af1c969fbb7b	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXC843.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\ehome\wow\f3b6ecef712a24	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Media\Landscape\audiodg.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\twain_32\RCXC63F.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\ehome\wow\spoolsv.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\twain_32\RCXC63E.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\Tasks\7a0fd90576e088	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\assembly\lsass.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\diagnostics\index\spoolsv.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Media\Landscape\RCXB5EC.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\assembly\RCXBCE4.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\twain_32\csrss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\000A\69ddcba757bf72	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\Branding\Basebrd\en-US\6ccacd8608530f	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\ehome\wow\spoolsv.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\Tasks\explorer.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\twain_32\csrss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\twain_32\886983d96e3d3e	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Media\Landscape\RCXB5DB.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\000A\RCXBA04.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\ehome\wow\RCXC43A.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\Idle.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\assembly\6203df4a6bafc7	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\Branding\Basebrd\en-US\Idle.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\assembly\RCXBC76.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\assembly\lsass.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXC8B1.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\Tasks\explorer.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\000A\RCXBA72.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
File opened for modification	C:\Windows\ehome\wow\RCXC3CC.tmp	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2004	schtasks.exe
2368	schtasks.exe
1608	schtasks.exe
2388	schtasks.exe
2520	schtasks.exe
2732	schtasks.exe
2684	schtasks.exe
2732	schtasks.exe
1492	schtasks.exe
1736	schtasks.exe
888	schtasks.exe
2936	schtasks.exe
3024	schtasks.exe
2900	schtasks.exe
2164	schtasks.exe
1108	schtasks.exe
3020	schtasks.exe
1028	schtasks.exe
1404	schtasks.exe
1876	schtasks.exe
1264	schtasks.exe
2624	schtasks.exe
1660	schtasks.exe
1816	schtasks.exe
2924	schtasks.exe
2896	schtasks.exe
2612	schtasks.exe
2676	schtasks.exe
824	schtasks.exe
1160	schtasks.exe
2304	schtasks.exe
1616	schtasks.exe
2140	schtasks.exe
408	schtasks.exe
2780	schtasks.exe
1884	schtasks.exe
2796	schtasks.exe
1228	schtasks.exe
1588	schtasks.exe
2364	schtasks.exe
924	schtasks.exe
3000	schtasks.exe
1676	schtasks.exe
776	schtasks.exe
1740	schtasks.exe
776	schtasks.exe
1904	schtasks.exe
2944	schtasks.exe
1700	schtasks.exe
2604	schtasks.exe
2488	schtasks.exe
1908	schtasks.exe
2636	schtasks.exe
2824	schtasks.exe
2560	schtasks.exe
1280	schtasks.exe
2856	schtasks.exe
1632	schtasks.exe
2192	schtasks.exe
2400	schtasks.exe
860	schtasks.exe
2712	schtasks.exe
1748	schtasks.exe
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Token: SeDebugPrivilege	2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Token: SeDebugPrivilege	2440	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 904	2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	89
PID 2168 wrote to memory of 904	2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	89
PID 2168 wrote to memory of 904	2168	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	89
PID 904 wrote to memory of 1828	904	cmd.exe	91
PID 904 wrote to memory of 1828	904	cmd.exe	91
PID 904 wrote to memory of 1828	904	cmd.exe	91
PID 904 wrote to memory of 2544	904	cmd.exe	92
PID 904 wrote to memory of 2544	904	cmd.exe	92
PID 904 wrote to memory of 2544	904	cmd.exe	92
PID 2544 wrote to memory of 1356	2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	126
PID 2544 wrote to memory of 1356	2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	126
PID 2544 wrote to memory of 1356	2544	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe	126
PID 1356 wrote to memory of 1940	1356	cmd.exe	128
PID 1356 wrote to memory of 1940	1356	cmd.exe	128
PID 1356 wrote to memory of 1940	1356	cmd.exe	128
PID 1356 wrote to memory of 2440	1356	cmd.exe	129
PID 1356 wrote to memory of 2440	1356	cmd.exe	129
PID 1356 wrote to memory of 2440	1356	cmd.exe	129

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
"C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eFR6a9mIY7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
    "C:\Users\Admin\AppData\Local\Temp\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bxSkVmu9OG.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1940
    - - C:\Users\Default User\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe
        
        "C:\Users\Default User\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Landscape\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\assembly\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\en-US\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773" /sc ONLOGON /tr "'C:\Users\Default\Music\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773" /sc ONLOGON /tr "'C:\Users\Default User\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e817736" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
1⤵
- DcRat
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
1⤵
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
1⤵
- DcRat
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\RCXD3A3.tmp

Filesize
2.6MB

MD5
1c0f19f034c4493743ec5b0eebe76c63

SHA1
f5b2072bc596e20659e99e08c5254ee124960ee6

SHA256
7398ee30d369c8e025c837ef1cb4c3e515d7785cf42e901173a796286fdce5ab

SHA512
3d4aa6d013cd028b369c90f946d6a31193da6eb16f3df7571151c030517185b357e15f715bb60a95014fcdaef99524e287342e06686ad1849549e7ae10752d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxSkVmu9OG.bat

Filesize
255B

MD5
4c9d13eadee2224cd015b12556a051e2

SHA1
c5ad7ffe4a7cddd2e1cdc62560695e6eaf3ada6a

SHA256
0414fd64cee7bea66b65e36412a6e6ae5d17e0d0a3fbcd89d5efcbdb8b7c69a1

SHA512
3b867d03eece33355198c3ef5cc86cfc0c1093691438df78db41bcf8796886e470a371129d80b3890f0ba3a0795d77501769ee62c7e929feedb8ae241a40906c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eFR6a9mIY7.bat

Filesize
267B

MD5
dbcd9b0cd0bb7fc0024ef646ebe3db8b

SHA1
fe1b0b189e956f0c75f0840acd0192fa3b8a6529

SHA256
78fb81e03f8a52524d8f519d6560ecf163da855143ce112c4820675b0779ff1c

SHA512
4268cc649af18c41cb5da04b500c53df69c6bf35db645f99961dd15c74bb33ddab8accd90d2bf41a9f94776caa567570fdf526119b8d7cd2aaff52c755b0b5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\dllhost.exe

Filesize
2.6MB

MD5
8480c527f053f7b1ffea922e757bf786

SHA1
e782925aa82c11f244ec81d5dcd3c4526f504f19

SHA256
57942905283b630756a6121ba872ec3f716d0ae49e95ab78b736aa56d4720912

SHA512
04bc95842543e3e4cdc32f31e428b8770faa5ab4691dc77a5dec7fc7ce3fdded074d732e851d0c4bfc516cfcc46e986e37d22c3a38fdd16fa3d061dbff531870

Download Submit
C:\Windows\Branding\Basebrd\en-US\Idle.exe

Filesize
2.6MB

MD5
26b73c012a11c6e2c1389d9e40540a5b

SHA1
4b46e207288a531e12f77cbff78d2ff56e849494

SHA256
4d68f41c0d6458e1b8273748ce8c5d2de52c0f5e66802631a8e37947e3ebc06c

SHA512
3a2525b93023151f3c286f20fa33269cc87375c80db43f8a016838360ea0492ea4ed057e6b5d6cdaf2db6dc06504ff56d3f4e2f2cf4b68371568bc995c111fa1

Download Submit
C:\Windows\assembly\lsass.exe

Filesize
2.6MB

MD5
0163b78fa3d6908eb367abed8f3e9e94

SHA1
240609d82a62a8017ad3d81ac4271cd7606b5573

SHA256
6a424fb0461a71270d9994efea75bced7b4081a1fe16cdc6deb1a8f015e81773

SHA512
f0258f74d10b9d1f3cfab6c36afe7e411b9c3cea7641529b5fc3e62706787c9685b6dfccf3fdde708102b43f517a734572da77407f9f4f1d94754fdec1554748

Download Submit
C:\Windows\assembly\lsass.exe

Filesize
2.6MB

MD5
03951bfb5f5c1b9930af361c8a12283c

SHA1
09e6fe3cc8174b68d88f3fba6720ce86910eaa6c

SHA256
a8d4ac4f9d678af6023350bf66596cd8bc2b766835863fbfa1e202eabdc13bfa

SHA512
880a620041cdb1c300cd710d3704a2cbb7f2eeb0c05b9672b0769b4aef4740328d34ca2ec3a71f7bac1bbd5595f06103925650701020c4550b75be8e6fa0b09c

Download Submit
C:\Windows\inf\SMSvcHost 4.0.0.0\000A\smss.exe

Filesize
2.6MB

MD5
601ff87d374c627f05f0d13608d00ad3

SHA1
ff8a7d91427f4b156adebac25e114f5a07fff0d1

SHA256
74b8f8422be3663e2775e96a760bed0229dde361af88e7bc5317f06bfe43ba34

SHA512
cdecdfe1cb5bbc69eeead67de725457f11f9928e4a288d5e888463b3a3e6fa29f74690033531a6ae1bbc5e8e81f79263c692c41eb44c548b4850c79b3f55e166

Download Submit
memory/2168-16-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2168-6-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2168-10-0x0000000002280000-0x00000000022D6000-memory.dmp

Filesize
344KB

Download
memory/2168-11-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2168-12-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/2168-13-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2168-14-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2168-15-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/2168-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2168-17-0x00000000021F0000-0x00000000021FC000-memory.dmp

Filesize
48KB

Download
memory/2168-18-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/2168-8-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2168-7-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/2168-9-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2168-5-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2168-4-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/2168-211-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2168-223-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-3-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2168-287-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-1-0x0000000000830000-0x0000000000AD8000-memory.dmp

Filesize
2.7MB

Download
memory/2440-343-0x00000000011B0000-0x0000000001458000-memory.dmp

Filesize
2.7MB

Download
memory/2544-291-0x0000000002170000-0x00000000021C6000-memory.dmp

Filesize
344KB

Download
memory/2544-290-0x00000000009C0000-0x0000000000C68000-memory.dmp

Filesize
2.7MB

Download