dcrat | 16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Size

4.9MB
MD5

d6c32cc92aff05247e665fec5d1ca5ed
SHA1

864e040db2c99477669bbe45261d8d93ebdba021
SHA256

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00
SHA512

b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2672	schtasks.exe
2416	schtasks.exe
3044	schtasks.exe
2952	schtasks.exe
1096	schtasks.exe
912	schtasks.exe
704	schtasks.exe
2060	schtasks.exe
2760	schtasks.exe
1940	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\0a1fd5f707cd16	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2000	schtasks.exe
File created	C:\Windows\AppPatch\it-IT\6cb0b6c459d5d3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1884	schtasks.exe
2504	schtasks.exe
1752	schtasks.exe
2252	schtasks.exe
300	schtasks.exe
2648	schtasks.exe
864	schtasks.exe
2544	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1996	schtasks.exe
2808	schtasks.exe
2744	schtasks.exe
1456	schtasks.exe
868	schtasks.exe
File created	C:\Program Files\Internet Explorer\f3b6ecef712a24	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2640	schtasks.exe
2348	schtasks.exe
1480	schtasks.exe
1444	schtasks.exe
864	schtasks.exe
2144	schtasks.exe
568	schtasks.exe
3012	schtasks.exe
2780	schtasks.exe
2216	schtasks.exe
2764	schtasks.exe
628	schtasks.exe
3024	schtasks.exe
1732	schtasks.exe
1056	schtasks.exe
1920	schtasks.exe
1872	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
892	schtasks.exe
288	schtasks.exe
2596	schtasks.exe
2692	schtasks.exe
2656	schtasks.exe
1712	schtasks.exe
2676	schtasks.exe
764	schtasks.exe
1236	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\b75386f1303e64	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2680	schtasks.exe
2500	schtasks.exe
960	schtasks.exe
2548	schtasks.exe
2476	schtasks.exe
2816	schtasks.exe
2796	schtasks.exe
2932	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2472	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exelsm.exelsm.exelsm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2568-2-0x000000001B600000-0x000000001B72E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2156	powershell.exe
1528	powershell.exe
1916	powershell.exe
1980	powershell.exe
820	powershell.exe
2308	powershell.exe
2328	powershell.exe
612	powershell.exe
1532	powershell.exe
1280	powershell.exe
960	powershell.exe
3064	powershell.exe
1040	powershell.exe
1580	powershell.exe
3028	powershell.exe
1956	powershell.exe
1648	powershell.exe
1544	powershell.exe
880	powershell.exe
1044	powershell.exe
3068	powershell.exe
1132	powershell.exe
2152	powershell.exe
1792	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	process
1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2804	lsm.exe
1336	lsm.exe
1796	lsm.exe
3068	lsm.exe
1480	lsm.exe
1192	lsm.exe
2044	lsm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 38 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC3DF.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\24dbde2999530e	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXD322.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Internet Explorer\f3b6ecef712a24	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXD11F.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Reference Assemblies\48644afaaf39c9	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Internet Explorer\spoolsv.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\0a1fd5f707cd16	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Internet Explorer\spoolsv.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\b75386f1303e64	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXCF1B.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Uninstall Information\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Reference Assemblies\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXBF3B.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Program Files\Windows Portable Devices\dllhost.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

Drops file in Windows directory 4 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	ioc	process
File created	C:\Windows\AppPatch\it-IT\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File created	C:\Windows\AppPatch\it-IT\6cb0b6c459d5d3	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Windows\AppPatch\it-IT\RCXC68F.tmp	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
File opened for modification	C:\Windows\AppPatch\it-IT\dwm.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1744	schtasks.exe
628	schtasks.exe
2672	schtasks.exe
2680	schtasks.exe
1480	schtasks.exe
2144	schtasks.exe
2000	schtasks.exe
1512	schtasks.exe
2216	schtasks.exe
2336	schtasks.exe
2000	schtasks.exe
1096	schtasks.exe
2892	schtasks.exe
2544	schtasks.exe
2952	schtasks.exe
2348	schtasks.exe
2796	schtasks.exe
1044	schtasks.exe
2640	schtasks.exe
2760	schtasks.exe
764	schtasks.exe
2252	schtasks.exe
1444	schtasks.exe
1712	schtasks.exe
2504	schtasks.exe
1752	schtasks.exe
1732	schtasks.exe
1704	schtasks.exe
1236	schtasks.exe
1056	schtasks.exe
2692	schtasks.exe
1456	schtasks.exe
568	schtasks.exe
2548	schtasks.exe
2816	schtasks.exe
2904	schtasks.exe
2416	schtasks.exe
2060	schtasks.exe
672	schtasks.exe
1260	schtasks.exe
1156	schtasks.exe
2460	schtasks.exe
1808	schtasks.exe
3012	schtasks.exe
2872	schtasks.exe
1456	schtasks.exe
960	schtasks.exe
912	schtasks.exe
892	schtasks.exe
704	schtasks.exe
2116	schtasks.exe
2744	schtasks.exe
2596	schtasks.exe
864	schtasks.exe
3044	schtasks.exe
1996	schtasks.exe
1000	schtasks.exe
2808	schtasks.exe
2656	schtasks.exe
1872	schtasks.exe
1940	schtasks.exe
1708	schtasks.exe
864	schtasks.exe
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	process
2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
3068	powershell.exe
820	powershell.exe
1132	powershell.exe
1040	powershell.exe
2152	powershell.exe
3064	powershell.exe
1916	powershell.exe
2308	powershell.exe
2328	powershell.exe
2156	powershell.exe
1044	powershell.exe
1528	powershell.exe
1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
1580	powershell.exe
1956	powershell.exe
1980	powershell.exe
1532	powershell.exe
612	powershell.exe
1648	powershell.exe
1280	powershell.exe
1792	powershell.exe
960	powershell.exe
3028	powershell.exe
1544	powershell.exe
880	powershell.exe
2804	lsm.exe
1336	lsm.exe
1796	lsm.exe
3068	lsm.exe
1480	lsm.exe
1192	lsm.exe
2044	lsm.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2804	lsm.exe
Token: SeDebugPrivilege	1336	lsm.exe
Token: SeDebugPrivilege	1796	lsm.exe
Token: SeDebugPrivilege	3068	lsm.exe
Token: SeDebugPrivilege	1480	lsm.exe
Token: SeDebugPrivilege	1192	lsm.exe
Token: SeDebugPrivilege	2044	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.execmd.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	pid	process	target process
PID 2568 wrote to memory of 1044	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1044	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1044	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 820	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 820	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 820	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3064	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3064	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3064	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3068	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3068	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 3068	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2156	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2156	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2156	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1132	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1132	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1132	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1528	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1528	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1528	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2152	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2152	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2152	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1916	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1916	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1916	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2308	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2308	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2308	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2328	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2328	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 2328	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1040	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1040	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 1040	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 2568 wrote to memory of 592	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	cmd.exe
PID 2568 wrote to memory of 592	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	cmd.exe
PID 2568 wrote to memory of 592	2568	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	cmd.exe
PID 592 wrote to memory of 2968	592	cmd.exe	w32tm.exe
PID 592 wrote to memory of 2968	592	cmd.exe	w32tm.exe
PID 592 wrote to memory of 2968	592	cmd.exe	w32tm.exe
PID 592 wrote to memory of 1008	592	cmd.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
PID 592 wrote to memory of 1008	592	cmd.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
PID 592 wrote to memory of 1008	592	cmd.exe	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
PID 1008 wrote to memory of 1580	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1580	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1580	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 3028	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 3028	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 3028	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1956	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1956	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1956	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 612	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 612	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 612	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1532	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1532	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1532	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1648	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1648	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1648	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe
PID 1008 wrote to memory of 1280	1008	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe	powershell.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

lsm.exelsm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exelsm.exelsm.exelsm.exelsm.exelsm.exe16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
"C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Eo5FP2oB0G.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
    "C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat"
      4⤵
      PID:2316
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1720
    - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7ddc33-2b09-4a71-8dc1-45af7c6cf06a.vbs"
        6⤵
        
        PID:2568
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1458ba35-5c18-4088-98b3-6b1e0d1313a6.vbs"
        8⤵
        
        PID:772
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de12ebbb-d4c0-42ce-b139-77230c4eaa23.vbs"
        10⤵
        
        PID:2860
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197127b3-2cb2-4dfd-afe8-3f37b44fd5b5.vbs"
        12⤵
        
        PID:300
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb0769b6-a4cf-4b00-ad6f-b78738ac17cf.vbs"
        14⤵
        
        PID:896
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4091d286-77da-4820-ae6f-9d724060dcac.vbs"
        16⤵
        
        PID:2852
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0872eeb6-386f-4548-a59c-cac2ea235a76.vbs"
        18⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c7b2e36-54c6-4c5b-983d-e64ddfe5d71c.vbs"
        18⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09840d5d-fef3-4c27-b650-42a34969e36c.vbs"
        16⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254b6c8c-23d9-43c0-ab69-b4ec3c0dde8f.vbs"
        14⤵
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\237e8b08-ee68-440f-baad-b7b2e6c7c213.vbs"
        12⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb89bd8-8154-49d9-8f6a-6abc6500c2b1.vbs"
        10⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da348844-e155-4684-8923-1597cb68d57e.vbs"
        8⤵
        
        PID:764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e70d2936-3515-4b92-9885-6832cb87f67f.vbs"
        6⤵
        
        PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\it-IT\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f001" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- DcRat
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe

Filesize
4.9MB

MD5
d6c32cc92aff05247e665fec5d1ca5ed

SHA1
864e040db2c99477669bbe45261d8d93ebdba021

SHA256
16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

SHA512
b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe

Filesize
4.9MB

MD5
71f1bebc23e727090b1baef7cad78d6b

SHA1
1a1744beabec83eb55cb1b08e22c6b7642ec49ba

SHA256
e89e518d67b1ec0801dceb70053b85719833d5fafec5b626f1f85905ee38ac84

SHA512
804ffedc56b80ad2692d39c9c8319c5d8eddf9274bdf827c67b61a40278fed894b2dd63cbe78e4b1e1cf2b2015221d22e15129f0c0ee5a6f09a49f66b774e030

Download Submit
C:\Users\Admin\AppData\Local\Temp\0872eeb6-386f-4548-a59c-cac2ea235a76.vbs

Filesize
732B

MD5
d2a8763d60ee24618ec9b4f16937c1ef

SHA1
1614db3fc48b11e0f35e00a899dd81a90a004c64

SHA256
447468d72ed5a6e38972cef88eb25041a2a8df60bef5c32400b5718284e96cd7

SHA512
13e3ad236a9f5b3d3bb2ef633c434d31d9f8fc42149f40ed475993e672a171d161bfd8ae55a4ccba58665eb7c1a48ab861072a21c546fc9ddd3b879b20f37b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1458ba35-5c18-4088-98b3-6b1e0d1313a6.vbs

Filesize
732B

MD5
75b52b712210069e261ccbd9272c8b69

SHA1
281178783961ec8de93c704a8ca29c53cbab1888

SHA256
0eab198562bd5285ab9253e0146ab54d41eed6cf031e49f77ae5df0096ad3736

SHA512
843192498c2a45c01d6a67df8a091890254d907c50c6d6aeddc0eae02d46dca851c875db676648d18f09d0361d7f72cdd961d98eafd495fd417f604ca4ff9773

Download Submit
C:\Users\Admin\AppData\Local\Temp\197127b3-2cb2-4dfd-afe8-3f37b44fd5b5.vbs

Filesize
732B

MD5
8f0911e5ea0cbe3f90da9580d83766d7

SHA1
09b7f6baabd28ecbcb3579e327f38710afaef50e

SHA256
42a4cfb2f337991d2098917b2060846d51f89e194591f654c0eacb78c24bb586

SHA512
c45dd67548028568dbd9fa88b4374099b188ea0ebf22279a9311bb850edb804b15dc5487cd6746fd76a39c5b04c103b56e276cbe263761abba8e0f57348c0311

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a7ddc33-2b09-4a71-8dc1-45af7c6cf06a.vbs

Filesize
732B

MD5
187e3d7e66cd57d46023f47ec79775f3

SHA1
8cd5b8395d3d35db8e66ffea39f43e6c05e24cb7

SHA256
24ed45bbfaf97281bc30649b8de47cdddb23f616be40a6f1fec5713e748341a7

SHA512
21acc735da0bd70f911629e7681a7e33b8a83cddc537446301e7aec330784faa1225b376d101a3a47ed9ea5eb339360233e0a1b8e0babdec281306b04011e296

Download Submit
C:\Users\Admin\AppData\Local\Temp\4091d286-77da-4820-ae6f-9d724060dcac.vbs

Filesize
732B

MD5
8558bb7d0c00e09c16bcaf3ad6f300e5

SHA1
bb3843793314a6804f2c9ff73649e6c01e38e451

SHA256
a1cd40b7bbb38e2dfdfc082dcf2a1917e5bf6d12cc639b2585eb37a4779e8f28

SHA512
a26103455d4c0b5c7db18157e2ad40615066315e548c69f26c3be1109bc6f5f092bff33485a3dda86b954e1aaa682b79126a27d4f3e611853c6e6f0661a08215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eo5FP2oB0G.bat

Filesize
267B

MD5
9a8fac341e67821c86fdcef170776110

SHA1
131eaa892d3626cca68e4fe9dddaca29e9870996

SHA256
61576d9d7bc42f7a0539721dcf4d90988eaa28ab8fe87b25e362aa9edbb0e745

SHA512
54599111987828be013833c9f454ac79c23cda26bfa77f3af65e09513c8c4fd99259250876da37419eb06595d376f4c4f600cce16739bb979ea4c719d2a51c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb0769b6-a4cf-4b00-ad6f-b78738ac17cf.vbs

Filesize
732B

MD5
d5bf754f63d90bba7c51cf64c4cac6ce

SHA1
0700a9bfcf0f41313c545df85f129431834545a6

SHA256
0e561b22698828aae67cca594334d5c311c127305ccc78b25c8416f404b990d2

SHA512
e91dc9000453f80a5458218b139ebcfddc60103888961358767b181d6743240fda9879546e7137bc8d668b55c9bd9623ca4307b8b07b98837b7c51b653d94cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\de12ebbb-d4c0-42ce-b139-77230c4eaa23.vbs

Filesize
732B

MD5
406aa5869864d2345bdb5505293afcda

SHA1
c1ee728699cb2836c4e3389f72c3cbecd7292e30

SHA256
c37bc90419a654c6ddf73c94d3ffaf6112c0523680ab7eaa769fb0084cf624a5

SHA512
95f8f2ebc658c9077fa7db15d368c1cbc57147110e703cd41a18407c14b35dad27aa6ea033ee7030b490a5bade2bf3b29c9c325abcfdb2d020501314563dc5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e70d2936-3515-4b92-9885-6832cb87f67f.vbs

Filesize
508B

MD5
80fad5e7a439af0e0fb4aee76a244818

SHA1
776e9084d96635f0a0dfcf853d03b997efe4ef87

SHA256
ce22f2f1838fb4cfd8c9ee751f50091c47156bc9364741a04af41fd093d8d440

SHA512
9130780d55d73c068408179a75542317a17ac3bdeb945ec629e74390b454450687b776bf829b27d8cf0b86303d923fc15ae31bfaa6e55979bdb4a16fc614be66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCD6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtwHUJyt6A.bat

Filesize
221B

MD5
c7e7082604d302ab9c22ddbd3b22c394

SHA1
4e5151b1fbfcff2668bbe1dc40f27c9176cb07b0

SHA256
d68a759e9330e176ba33ac7d4e72788d1decce74e4b6582e7d833b47a4aeb9f6

SHA512
42328e48432746f63bd2cc350fd10441fd12392f1a59a02d62ef000897aa10a750011b9e2f715380260c54ab4a1063a0a1ac7be40346e3f877d01d139d209d1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
736e92826ee8cd48d18e2be9772663da

SHA1
94383d0292ef855ca3c2463e85d70a8dca2b0e9f

SHA256
468b073a4ec0d74ead61cbcaa7972907f4390b0e23ffdc5c485260969d19e7ab

SHA512
7910a3d90d619e55cc941295430f41610dd34f18ad88fde8dccb55384c616ec9bcddc62bec1a19d27ecc9fcd378a71d57223a58671dda6248e49288a94a0542f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c06d7b05c3637cc476c570f015012958

SHA1
2fabbe44ab11f86bcce3e5181a578119db0e62f3

SHA256
c483d72e4300396b2dbc3a9fb0d93ea7891070ea90cd5a364d68361ef8757122

SHA512
91270fadafe1c92eeccd31cf5a28f5f036a178437fed6ccc355bb2203f2896b0982351ad28741677636d97c091dcea4d43f61cf859ce9494fafdb1ecafd4b069

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1008-179-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/1192-393-0x0000000000F20000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download
memory/1192-394-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1480-377-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/1480-378-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/1580-263-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1580-257-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1796-346-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2568-11-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2568-10-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2568-1-0x0000000000F70000-0x0000000001464000-memory.dmp

Filesize
5.0MB

Download
memory/2568-2-0x000000001B600000-0x000000001B72E000-memory.dmp

Filesize
1.2MB

Download
memory/2568-14-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2568-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/2568-15-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2568-3-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2568-12-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/2568-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2568-142-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-9-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2568-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2568-5-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2568-8-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2568-7-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2568-6-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2804-318-0x0000000001350000-0x0000000001844000-memory.dmp

Filesize
5.0MB

Download
memory/3068-362-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/3068-361-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download
memory/3068-125-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/3068-124-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download