dcrat | 88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Size

4.9MB
MD5

e27d9077d56e3cbdab770a0d9cbadf16
SHA1

0e7fac5090694c16c4eca567438473aed3ac4c0f
SHA256

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155
SHA512

2dc6629f1364c3b43bc2d481038bcf1c086dceed0b29b80dacbf8d4b52b27a06bce6769d45fbd0b753d6199205d7c08d6de59c3778c42280ff4c5eee3258ee88
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8a:S

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		2476	schtasks.exe
		2336	schtasks.exe
		3032	schtasks.exe
		776	schtasks.exe
		2808	schtasks.exe
		2408	schtasks.exe
		524	schtasks.exe
		580	schtasks.exe
		2304	schtasks.exe
		2420	schtasks.exe
		2656	schtasks.exe
		3040	schtasks.exe
		2480	schtasks.exe
		1536	schtasks.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc		88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
		2400	schtasks.exe
		2844	schtasks.exe
		2328	schtasks.exe
		1620	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\42af1c969fbb7b		88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
		1908	schtasks.exe
		812	schtasks.exe
		2076	schtasks.exe
		2404	schtasks.exe
		2248	schtasks.exe
		832	schtasks.exe
		2580	schtasks.exe
		2336	schtasks.exe
		3044	schtasks.exe
		2220	schtasks.exe
		280	schtasks.exe
		1748	schtasks.exe
		2140	schtasks.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0		88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
		2092	schtasks.exe
		876	schtasks.exe
		2668	schtasks.exe
		2960	schtasks.exe
		2468	schtasks.exe
		1728	schtasks.exe
		2572	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\69ddcba757bf72		88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
		1100	schtasks.exe
		1568	schtasks.exe
		2224	schtasks.exe
		2344	schtasks.exe
		1804	schtasks.exe
		1624	schtasks.exe
		272	schtasks.exe
		1472	schtasks.exe
		2236	schtasks.exe
		2608	schtasks.exe
		1928	schtasks.exe
		1980	schtasks.exe
		1584	schtasks.exe
		2300	schtasks.exe
		3036	schtasks.exe
		2692	schtasks.exe
		396	schtasks.exe
		2256	schtasks.exe
		3048	schtasks.exe
		2004	schtasks.exe
		1472	schtasks.exe
		2644	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2628	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exesppsvc.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/844-2-0x000000001B7C0000-0x000000001B8EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1008	powershell.exe
2024	powershell.exe
2516	powershell.exe
2012	powershell.exe
812	powershell.exe
2112	powershell.exe
2588	powershell.exe
1780	powershell.exe
2892	powershell.exe
1592	powershell.exe
1160	powershell.exe
2808	powershell.exe
2932	powershell.exe
2688	powershell.exe
3020	powershell.exe
2620	powershell.exe
2756	powershell.exe
2816	powershell.exe
880	powershell.exe
2000	powershell.exe
2456	powershell.exe
1620	powershell.exe
2888	powershell.exe
1364	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
1768	sppsvc.exe
2028	sppsvc.exe
2420	sppsvc.exe
3052	sppsvc.exe
2092	sppsvc.exe
2500	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 28 IoCs

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\winlogon.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\0a1fd5f707cd16	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCX5C0B.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX6BFA.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX59AA.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX54B8.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files\Windows Portable Devices\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files\Windows Portable Devices\d52464b18608b5	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\0a1fd5f707cd16	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Google\Temp\winlogon.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files\Windows Portable Devices\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\42af1c969fbb7b	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\69ddcba757bf72	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Google\Temp\cc11b995f2a76d	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

Drops file in Windows directory 24 IoCs

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

description	ioc	Process
File opened for modification	C:\Windows\Fonts\services.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\de-DE\0a1fd5f707cd16	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\en-US\RCX6E0D.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Fonts\c5b4cb5e9653cc	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Registration\CRMLog\56085415360792	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\de-DE\24dbde2999530e	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Media\Characters\csrss.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Media\Characters\886983d96e3d3e	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\Registration\CRMLog\wininit.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\es-ES\taskhost.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Speech\Common\csrss.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\en-US\System.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\de-DE\RCX5E3E.tmp	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\de-DE\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Registration\CRMLog\wininit.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\es-ES\taskhost.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\Media\Characters\csrss.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\de-DE\sppsvc.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\en-US\System.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\Fonts\services.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\de-DE\WmiPrvSE.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File created	C:\Windows\es-ES\b75386f1303e64	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
File opened for modification	C:\Windows\de-DE\WmiPrvSE.exe	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
272	schtasks.exe
2300	schtasks.exe
2764	schtasks.exe
3036	schtasks.exe
1992	schtasks.exe
1536	schtasks.exe
1568	schtasks.exe
3044	schtasks.exe
2344	schtasks.exe
2656	schtasks.exe
2808	schtasks.exe
2572	schtasks.exe
2428	schtasks.exe
2480	schtasks.exe
2248	schtasks.exe
2140	schtasks.exe
876	schtasks.exe
832	schtasks.exe
776	schtasks.exe
2004	schtasks.exe
2704	schtasks.exe
2640	schtasks.exe
1960	schtasks.exe
876	schtasks.exe
2328	schtasks.exe
1624	schtasks.exe
2668	schtasks.exe
1988	schtasks.exe
1056	schtasks.exe
1904	schtasks.exe
2236	schtasks.exe
1748	schtasks.exe
580	schtasks.exe
1104	schtasks.exe
3008	schtasks.exe
1688	schtasks.exe
1472	schtasks.exe
2820	schtasks.exe
2148	schtasks.exe
2304	schtasks.exe
1472	schtasks.exe
2076	schtasks.exe
3032	schtasks.exe
3048	schtasks.exe
2592	schtasks.exe
1804	schtasks.exe
2644	schtasks.exe
2220	schtasks.exe
980	schtasks.exe
2580	schtasks.exe
2420	schtasks.exe
2224	schtasks.exe
1584	schtasks.exe
2976	schtasks.exe
708	schtasks.exe
2904	schtasks.exe
2960	schtasks.exe
2184	schtasks.exe
812	schtasks.exe
2844	schtasks.exe
1728	schtasks.exe
2092	schtasks.exe
2468	schtasks.exe
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
3020	powershell.exe
2112	powershell.exe
2808	powershell.exe
2932	powershell.exe
1620	powershell.exe
2688	powershell.exe
1780	powershell.exe
2756	powershell.exe
1364	powershell.exe
2588	powershell.exe
2888	powershell.exe
2620	powershell.exe
2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
2892	powershell.exe
1008	powershell.exe
1592	powershell.exe
812	powershell.exe
2456	powershell.exe
2000	powershell.exe
2024	powershell.exe
1160	powershell.exe
2516	powershell.exe
2012	powershell.exe
2816	powershell.exe
880	powershell.exe
1768	sppsvc.exe
2028	sppsvc.exe
2420	sppsvc.exe
3052	sppsvc.exe
2092	sppsvc.exe
2500	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1768	sppsvc.exe
Token: SeDebugPrivilege	2028	sppsvc.exe
Token: SeDebugPrivilege	2420	sppsvc.exe
Token: SeDebugPrivilege	3052	sppsvc.exe
Token: SeDebugPrivilege	2092	sppsvc.exe
Token: SeDebugPrivilege	2500	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

description	pid	Process	procid_target
PID 844 wrote to memory of 2112	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	70
PID 844 wrote to memory of 2112	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	70
PID 844 wrote to memory of 2112	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	70
PID 844 wrote to memory of 3020	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	71
PID 844 wrote to memory of 3020	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	71
PID 844 wrote to memory of 3020	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	71
PID 844 wrote to memory of 2808	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	72
PID 844 wrote to memory of 2808	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	72
PID 844 wrote to memory of 2808	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	72
PID 844 wrote to memory of 1780	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	74
PID 844 wrote to memory of 1780	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	74
PID 844 wrote to memory of 1780	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	74
PID 844 wrote to memory of 2588	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	75
PID 844 wrote to memory of 2588	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	75
PID 844 wrote to memory of 2588	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	75
PID 844 wrote to memory of 1620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	77
PID 844 wrote to memory of 1620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	77
PID 844 wrote to memory of 1620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	77
PID 844 wrote to memory of 1364	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	80
PID 844 wrote to memory of 1364	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	80
PID 844 wrote to memory of 1364	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	80
PID 844 wrote to memory of 2688	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	82
PID 844 wrote to memory of 2688	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	82
PID 844 wrote to memory of 2688	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	82
PID 844 wrote to memory of 2932	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	83
PID 844 wrote to memory of 2932	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	83
PID 844 wrote to memory of 2932	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	83
PID 844 wrote to memory of 2756	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	84
PID 844 wrote to memory of 2756	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	84
PID 844 wrote to memory of 2756	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	84
PID 844 wrote to memory of 2620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	85
PID 844 wrote to memory of 2620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	85
PID 844 wrote to memory of 2620	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	85
PID 844 wrote to memory of 2888	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	86
PID 844 wrote to memory of 2888	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	86
PID 844 wrote to memory of 2888	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	86
PID 844 wrote to memory of 2192	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	94
PID 844 wrote to memory of 2192	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	94
PID 844 wrote to memory of 2192	844	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	94
PID 2192 wrote to memory of 1008	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	143
PID 2192 wrote to memory of 1008	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	143
PID 2192 wrote to memory of 1008	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	143
PID 2192 wrote to memory of 2892	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	144
PID 2192 wrote to memory of 2892	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	144
PID 2192 wrote to memory of 2892	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	144
PID 2192 wrote to memory of 812	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	145
PID 2192 wrote to memory of 812	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	145
PID 2192 wrote to memory of 812	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	145
PID 2192 wrote to memory of 2456	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	147
PID 2192 wrote to memory of 2456	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	147
PID 2192 wrote to memory of 2456	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	147
PID 2192 wrote to memory of 2012	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	150
PID 2192 wrote to memory of 2012	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	150
PID 2192 wrote to memory of 2012	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	150
PID 2192 wrote to memory of 2000	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	151
PID 2192 wrote to memory of 2000	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	151
PID 2192 wrote to memory of 2000	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	151
PID 2192 wrote to memory of 1160	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	152
PID 2192 wrote to memory of 1160	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	152
PID 2192 wrote to memory of 1160	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	152
PID 2192 wrote to memory of 2516	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	154
PID 2192 wrote to memory of 2516	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	154
PID 2192 wrote to memory of 2516	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	154
PID 2192 wrote to memory of 1592	2192	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe	155

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exesppsvc.exesppsvc.exe88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
"C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe
  "C:\Users\Admin\AppData\Local\Temp\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
    "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\510c7e2d-942e-4921-bf16-7b0382263df3.vbs"
      4⤵
      PID:2620
    - - C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f13a8e-3f93-47b1-a6ee-cfa55da9074d.vbs"
        6⤵
        
        PID:472
        
        C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619015d6-fc26-49da-b510-318b674fca5b.vbs"
        8⤵
        
        PID:1724
        
        C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f7acca-9962-46a8-b9fb-f0289ae85594.vbs"
        10⤵
        
        PID:2656
        
        C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3e2f97-fc9d-4cf7-b577-645cec7e4f5d.vbs"
        12⤵
        
        PID:2364
        
        C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08851d1d-5c4c-4de4-8d4f-f9bc087fbcba.vbs"
        14⤵
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61ed6cb7-c2a3-4e75-81de-d0fb2a4935d4.vbs"
        14⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3efc3fae-2b5f-4052-acb2-2e58ca90da63.vbs"
        12⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83f3e188-8cd6-4d40-b33a-33327689095e.vbs"
        10⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bff73b7-3b5e-4e72-89fa-9fb154c8124e.vbs"
        8⤵
        
        PID:1152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feb11365-269b-4e5b-a1d4-20f586d0df62.vbs"
        6⤵
        
        PID:828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca0bf9e6-8056-42ba-97da-318520b6fe95.vbs"
      4⤵
      PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba1558" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba1558" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\lsass.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\taskhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Characters\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Characters\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Characters\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe

Filesize
4.9MB

MD5
e27d9077d56e3cbdab770a0d9cbadf16

SHA1
0e7fac5090694c16c4eca567438473aed3ac4c0f

SHA256
88f0ccbb0f7e91a991c8b6ed48faae69b7e6241cbcf4adebbeaf6d26b6cba155

SHA512
2dc6629f1364c3b43bc2d481038bcf1c086dceed0b29b80dacbf8d4b52b27a06bce6769d45fbd0b753d6199205d7c08d6de59c3778c42280ff4c5eee3258ee88

Download Submit
C:\Users\Admin\AppData\Local\Temp\00f13a8e-3f93-47b1-a6ee-cfa55da9074d.vbs

Filesize
729B

MD5
1872b1a342a29076c0bb01fd26c2279e

SHA1
ceb9784c77f60198f38658dd3b40f04b4d332a75

SHA256
858efdd8a9abd684b70b72ed6c006147d25f0c306573be2ac0526d8335b86ee2

SHA512
96a0756df534814bbcb405f6b9a52d9b56b5bdc34872abc9e51c81f11bbd199a6203b0cfdf9a32d193188da8969bdab9e117648541db74130ae48c2cad7bd022

Download Submit
C:\Users\Admin\AppData\Local\Temp\08851d1d-5c4c-4de4-8d4f-f9bc087fbcba.vbs

Filesize
729B

MD5
59fcbdc8c5f4a22f9f70215f314ed56b

SHA1
7883761f7bb25ce38547e523705c512fa7754879

SHA256
94dcf931b679d4bb8565ebe08a17b2475f0f44a801f360e44916fd58dd9a7c52

SHA512
0a024d4a24b02a3e3b9e2d244e9063ea351eb7fa94f989b179d56e5b4f0b50de8a636c3c20be1fa51ed439b150eb07dd6e80e05c2aa0fa400930f09d566d5a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\26f7acca-9962-46a8-b9fb-f0289ae85594.vbs

Filesize
729B

MD5
3150e1cd6a1c822290bab319b77fae9f

SHA1
37a7284cc5183e43de17b3a61ffdecea7a1b22c4

SHA256
d7e329b1b7027ee26f8574a5b07add2c6c8627ba5f646b3c5b85c3f3fc4262d4

SHA512
71e2077e3f51fb69cf163333a007af7f176e97764e9dcca8df31f963cb3fbd673f9d94cc76fffce22791751d18345e56bf14565a92c36eb9dfdbf9cddff9b922

Download Submit
C:\Users\Admin\AppData\Local\Temp\510c7e2d-942e-4921-bf16-7b0382263df3.vbs

Filesize
729B

MD5
1a0a55022e0d924c45728c4579188573

SHA1
f56b129a7a5e730ffc16a318ac882f66b744f762

SHA256
0f22c27d64529e313924fcdba03f348608bee1d0d08269edd0e6d6184b016d9a

SHA512
48d13fe112107068e073d7eadf4956d534e1908279690fd565835961d4e637b9041cfc32ce00af1b74b04e1963e0060645b53663d7fed1c2a8efa8282e5c16d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\619015d6-fc26-49da-b510-318b674fca5b.vbs

Filesize
729B

MD5
e6cb0c48a2a7f760fa1ebb01a1202661

SHA1
479422cc50a61653f4fb6de07b6ecfde9d0c3bb3

SHA256
b4f26fa69ceb9695c595a00528594548ec87d6b711ed2c9222432ab9182deafd

SHA512
795c5f00931c7b5c52d9402f08aecb758c107bcbe880e328b9c1689cd69243db3f8f4bdfd55a8bc40691e178b97a3ce23d8805b988501140a7925aba4c6ec0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a3e2f97-fc9d-4cf7-b577-645cec7e4f5d.vbs

Filesize
729B

MD5
064e1be22097c0684ecd965ea70c6429

SHA1
84aa634f5df6cc8c32df8d1915dad9414b9e930b

SHA256
517e8082d64f4f3b8fa9db78c0dfbb996c9e53e95bfa19af96a0506e056c1312

SHA512
902d84f920d968fc4a4be51e723ea8abeddf847ff110c5fabb8cbfa322129c41cc9d1cc1b3200982a8fe09015e916fbfb2ee44beee819ac90e17c360c16cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca0bf9e6-8056-42ba-97da-318520b6fe95.vbs

Filesize
505B

MD5
f4763af1f3c71f49c9b35b8a99a7d7b3

SHA1
6a761c076bd7f4da7a3311c7278cb5c788cfbd21

SHA256
8fae7830391f5990bc3d43320d31cbe7657f676235b1cfce1b4900f2d4480e3b

SHA512
ffb8cdfae816ab2349fbf5f03f5c92aa65ed248be407df1c9578a285b5c599e543115304b54eae22b950eb065bd14015b0c3eff1c919f2b8e727d2c4701af8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EC8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3eeb199beded2c4a76bf2cf09aad5428

SHA1
5912281b0e258a8955d612b9b55992f800a0e9f2

SHA256
864812866abd8d2f5e01d6df22e7490575db596a8632715b3d9fdbf3d628a133

SHA512
611bd8d1f5d7b5a381cae0068fac39f9034cb9444fa95962afc9efa25fa5c849c2cb74d84480a131f3aa81e44a9a522c5aed1c7329c00854a7278f19166c9b7b

Download Submit
memory/844-10-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/844-6-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/844-12-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/844-13-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/844-14-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/844-15-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/844-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/844-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-89-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-104-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-9-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/844-191-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-4-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/844-8-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/844-1-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/844-2-0x000000001B7C0000-0x000000001B8EE000-memory.dmp

Filesize
1.2MB

Download
memory/844-11-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/844-7-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/844-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1768-310-0x0000000000E30000-0x0000000001324000-memory.dmp

Filesize
5.0MB

Download
memory/2028-333-0x00000000003F0000-0x00000000008E4000-memory.dmp

Filesize
5.0MB

Download
memory/2092-378-0x0000000001160000-0x0000000001654000-memory.dmp

Filesize
5.0MB

Download
memory/2092-379-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2112-155-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2112-157-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2420-348-0x0000000000F80000-0x0000000001474000-memory.dmp

Filesize
5.0MB

Download
memory/2456-296-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-280-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/3052-363-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download