dcrat | 99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Size

1.0MB
MD5

80de5279605dda35d99f32d926d6d600
SHA1

4126656e487d6e427a7e279dcae123a36906e2ea
SHA256

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498
SHA512

e328d7e90b57b081a771e969a25cc7f9ec91d62c5ef716bef71861b2dda70779c906f7c76d0403deba25e0650b27467ab719a411c90b4f9f66ef230eb1d7a990
SSDEEP

12288:sP2N7DeTXX5qeIeLsdxv/xedn6IwyMbfhC6hQs3uUbG6ddD7HFPMmXgAff+75LMS:sP28z7IeYxvJeKHdZH3OacV3d9CE

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		3068	schtasks.exe
		1920	schtasks.exe
		276	schtasks.exe
		2724	schtasks.exe
		2660	schtasks.exe
		1108	schtasks.exe
		2432	schtasks.exe
		2068	schtasks.exe
		1536	schtasks.exe
		1556	schtasks.exe
		1680	schtasks.exe
		2744	schtasks.exe
		2796	schtasks.exe
		2404	schtasks.exe
		2872	schtasks.exe
		1500	schtasks.exe
		2988	schtasks.exe
		2000	schtasks.exe
		3036	schtasks.exe
		2684	schtasks.exe
		2116	schtasks.exe
		1992	schtasks.exe
		2688	schtasks.exe
		996	schtasks.exe
		1184	schtasks.exe
		2024	schtasks.exe
		3044	schtasks.exe
		848	schtasks.exe
		2824	schtasks.exe
		2520	schtasks.exe
		2380	schtasks.exe
		2976	schtasks.exe
		2900	schtasks.exe
		2632	schtasks.exe
		2856	schtasks.exe
		340	schtasks.exe
		2356	schtasks.exe
		1816	schtasks.exe
		3040	schtasks.exe
		1028	schtasks.exe
		2036	schtasks.exe
		1328	schtasks.exe
		1888	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
		692	schtasks.exe
		856	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\en-US\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Default User\\Idle.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\winlogon.exe\", \"C:\\Windows\\en-US\\winlogon.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\", \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\", \"C:\\Users\\Default\\Videos\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Fonts\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\", \"C:\\Users\\Default User\\WmiPrvSE.exe\", \"C:\\Windows\\en-US\\csrss.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2808	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2512-1-0x0000000000300000-0x000000000040E000-memory.dmp	dcrat
behavioral1/files/0x0005000000019609-26.dat	dcrat
behavioral1/memory/1528-117-0x0000000000D20000-0x0000000000E2E000-memory.dmp	dcrat
behavioral1/memory/2412-150-0x00000000000E0000-0x00000000001EE000-memory.dmp	dcrat
behavioral1/memory/1072-162-0x0000000001350000-0x000000000145E000-memory.dmp	dcrat
behavioral1/memory/2440-207-0x00000000003C0000-0x00000000004CE000-memory.dmp	dcrat
behavioral1/memory/1872-219-0x00000000001E0000-0x00000000002EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1784	powershell.exe
1900	powershell.exe
2084	powershell.exe
2072	powershell.exe
2276	powershell.exe
1360	powershell.exe
2076	powershell.exe
2032	powershell.exe
2588	powershell.exe
2756	powershell.exe
3048	powershell.exe
3060	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
1528	winlogon.exe
2188	winlogon.exe
1300	winlogon.exe
2412	winlogon.exe
1072	winlogon.exe
2996	winlogon.exe
2616	winlogon.exe
880	winlogon.exe
2440	winlogon.exe
1872	winlogon.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Downloads\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\en-US\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Fonts\\spoolsv.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\en-US\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Videos\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Fonts\\spoolsv.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\en-US\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\lsass.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Default User\\WmiPrvSE.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Videos\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Microsoft Help\\taskhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Downloads\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\Replicate\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\csrss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\en-US\\winlogon.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\dllhost.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 6 IoCs

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\886983d96e3d3e	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\6203df4a6bafc7	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\5940a34987c991	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

Drops file in Windows directory 6 IoCs

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

description	ioc	Process
File created	C:\Windows\en-US\cc11b995f2a76d	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Windows\Fonts\spoolsv.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Windows\Fonts\f3b6ecef712a24	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Windows\en-US\csrss.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Windows\en-US\886983d96e3d3e	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
File created	C:\Windows\en-US\winlogon.exe	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2660	schtasks.exe
1108	schtasks.exe
2688	schtasks.exe
2856	schtasks.exe
1500	schtasks.exe
1888	schtasks.exe
1184	schtasks.exe
2900	schtasks.exe
1028	schtasks.exe
2024	schtasks.exe
2632	schtasks.exe
2872	schtasks.exe
2824	schtasks.exe
2520	schtasks.exe
1680	schtasks.exe
3036	schtasks.exe
2976	schtasks.exe
1816	schtasks.exe
1536	schtasks.exe
2116	schtasks.exe
1992	schtasks.exe
2068	schtasks.exe
996	schtasks.exe
2796	schtasks.exe
2988	schtasks.exe
3044	schtasks.exe
2404	schtasks.exe
848	schtasks.exe
3068	schtasks.exe
1920	schtasks.exe
856	schtasks.exe
2724	schtasks.exe
3040	schtasks.exe
276	schtasks.exe
2000	schtasks.exe
1328	schtasks.exe
2380	schtasks.exe
340	schtasks.exe
2684	schtasks.exe
692	schtasks.exe
2432	schtasks.exe
2356	schtasks.exe
1556	schtasks.exe
2744	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
2076	powershell.exe
2084	powershell.exe
2756	powershell.exe
1784	powershell.exe
2588	powershell.exe
3048	powershell.exe
2276	powershell.exe
2072	powershell.exe
1900	powershell.exe
2032	powershell.exe
1360	powershell.exe
3060	powershell.exe
1528	winlogon.exe
2188	winlogon.exe
1300	winlogon.exe
2412	winlogon.exe
1072	winlogon.exe
2996	winlogon.exe
2616	winlogon.exe
880	winlogon.exe
2440	winlogon.exe
1872	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1528	winlogon.exe
Token: SeDebugPrivilege	2188	winlogon.exe
Token: SeDebugPrivilege	1300	winlogon.exe
Token: SeDebugPrivilege	2412	winlogon.exe
Token: SeDebugPrivilege	1072	winlogon.exe
Token: SeDebugPrivilege	2996	winlogon.exe
Token: SeDebugPrivilege	2616	winlogon.exe
Token: SeDebugPrivilege	880	winlogon.exe
Token: SeDebugPrivilege	2440	winlogon.exe
Token: SeDebugPrivilege	1872	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.execmd.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exe

description	pid	Process	procid_target
PID 2512 wrote to memory of 2756	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	76
PID 2512 wrote to memory of 2756	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	76
PID 2512 wrote to memory of 2756	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	76
PID 2512 wrote to memory of 1900	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	77
PID 2512 wrote to memory of 1900	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	77
PID 2512 wrote to memory of 1900	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	77
PID 2512 wrote to memory of 3048	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	78
PID 2512 wrote to memory of 3048	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	78
PID 2512 wrote to memory of 3048	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	78
PID 2512 wrote to memory of 3060	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	79
PID 2512 wrote to memory of 3060	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	79
PID 2512 wrote to memory of 3060	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	79
PID 2512 wrote to memory of 2276	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	80
PID 2512 wrote to memory of 2276	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	80
PID 2512 wrote to memory of 2276	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	80
PID 2512 wrote to memory of 2084	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	81
PID 2512 wrote to memory of 2084	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	81
PID 2512 wrote to memory of 2084	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	81
PID 2512 wrote to memory of 1784	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	82
PID 2512 wrote to memory of 1784	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	82
PID 2512 wrote to memory of 1784	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	82
PID 2512 wrote to memory of 2072	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	84
PID 2512 wrote to memory of 2072	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	84
PID 2512 wrote to memory of 2072	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	84
PID 2512 wrote to memory of 2076	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	85
PID 2512 wrote to memory of 2076	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	85
PID 2512 wrote to memory of 2076	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	85
PID 2512 wrote to memory of 1360	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	87
PID 2512 wrote to memory of 1360	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	87
PID 2512 wrote to memory of 1360	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	87
PID 2512 wrote to memory of 2032	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	89
PID 2512 wrote to memory of 2032	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	89
PID 2512 wrote to memory of 2032	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	89
PID 2512 wrote to memory of 2588	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	90
PID 2512 wrote to memory of 2588	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	90
PID 2512 wrote to memory of 2588	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	90
PID 2512 wrote to memory of 1584	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	100
PID 2512 wrote to memory of 1584	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	100
PID 2512 wrote to memory of 1584	2512	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe	100
PID 1584 wrote to memory of 2312	1584	cmd.exe	102
PID 1584 wrote to memory of 2312	1584	cmd.exe	102
PID 1584 wrote to memory of 2312	1584	cmd.exe	102
PID 1584 wrote to memory of 1528	1584	cmd.exe	104
PID 1584 wrote to memory of 1528	1584	cmd.exe	104
PID 1584 wrote to memory of 1528	1584	cmd.exe	104
PID 1528 wrote to memory of 2400	1528	winlogon.exe	105
PID 1528 wrote to memory of 2400	1528	winlogon.exe	105
PID 1528 wrote to memory of 2400	1528	winlogon.exe	105
PID 1528 wrote to memory of 2504	1528	winlogon.exe	106
PID 1528 wrote to memory of 2504	1528	winlogon.exe	106
PID 1528 wrote to memory of 2504	1528	winlogon.exe	106
PID 2400 wrote to memory of 2188	2400	WScript.exe	107
PID 2400 wrote to memory of 2188	2400	WScript.exe	107
PID 2400 wrote to memory of 2188	2400	WScript.exe	107
PID 2188 wrote to memory of 2132	2188	winlogon.exe	108
PID 2188 wrote to memory of 2132	2188	winlogon.exe	108
PID 2188 wrote to memory of 2132	2188	winlogon.exe	108
PID 2188 wrote to memory of 1764	2188	winlogon.exe	109
PID 2188 wrote to memory of 1764	2188	winlogon.exe	109
PID 2188 wrote to memory of 1764	2188	winlogon.exe	109
PID 2132 wrote to memory of 1300	2132	WScript.exe	110
PID 2132 wrote to memory of 1300	2132	WScript.exe	110
PID 2132 wrote to memory of 1300	2132	WScript.exe	110
PID 1300 wrote to memory of 2112	1300	winlogon.exe	111

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe
"C:\Users\Admin\AppData\Local\Temp\99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ULc4Icvci.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2312
- - C:\Users\Public\Downloads\winlogon.exe
    "C:\Users\Public\Downloads\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6ec0f4-18a0-4773-b236-4fb081ea3f66.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2188
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\704d3c79-1863-4a2b-b16f-ae7c2c51f608.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef696ead-998c-47e8-a824-7e95148b1934.vbs"
        8⤵
        
        PID:2112
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddeccbf7-291b-446c-a0db-612b243fabda.vbs"
        10⤵
        
        PID:2068
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c647bcf9-425f-4816-84f9-493f54eeadb1.vbs"
        12⤵
        
        PID:2656
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8d4643-e397-4dd9-a85d-eedeff8b8cf5.vbs"
        14⤵
        
        PID:2828
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd1ee9e-1584-4007-ad64-9cef46475f92.vbs"
        16⤵
        
        PID:2668
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\981c43e5-3b63-4e4e-bfb0-df3ea275de53.vbs"
        18⤵
        
        PID:2972
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ef1e772-8ffc-4b38-b0ff-2c0ce50684a4.vbs"
        20⤵
        
        PID:2788
        
        C:\Users\Public\Downloads\winlogon.exe
        
        C:\Users\Public\Downloads\winlogon.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2975a43-a1ab-4a0c-84b1-cfbe592a4326.vbs"
        20⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24ba00c1-8d8e-4f1c-8a23-03aff6cd5c06.vbs"
        18⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76af13e6-529a-4d64-8961-1e34ae214fb4.vbs"
        16⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f036dd-63dd-469c-a92b-78218b0d7420.vbs"
        14⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb66a3e-cc3e-4ddc-8672-e447e878581c.vbs"
        12⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0616ad13-6824-4383-8033-1137bd3f8b14.vbs"
        10⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40d9f60a-3bff-4804-95ac-c3d21abc5a30.vbs"
        8⤵
        
        PID:3040
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cd08613-f839-48cf-8814-2bfa577765fb.vbs"
        6⤵
        
        PID:1764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\481e1362-df55-4c61-b296-6ee28c37f29e.vbs"
      4⤵
      PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\481e1362-df55-4c61-b296-6ee28c37f29e.vbs

Filesize
490B

MD5
ce07590fce1b3c1b0d1e221f1d146c6d

SHA1
8bc27c76077f439e306cbdf8d24ff377fe459198

SHA256
ba7192c36a52115c597b9cbfbb11eb679606f93e6ff9661a65cb69710a1a1253

SHA512
715f38d606ef35d2d060f6e73e1a2539e06cdb8181333a85f10c1726afc80ca583cd63a0c603858055a365e7d13eb2cdc1149db902c456e57df4a3a0c196df0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c6ec0f4-18a0-4773-b236-4fb081ea3f66.vbs

Filesize
714B

MD5
95fbbe4fcf30c43ff3e73808018a58c1

SHA1
83d1d3d485e310444e90b64624528d297fa372ff

SHA256
0088cda613970c48ae60c728c4ba25bad2e7b1ef65a5af0fbd67635f98b34571

SHA512
75bdd8517ca284dce859bcfdb49b0fe389e3627d4a850aab018025ee0b1dd8046d5dadb0b63fb8a97a3907cc63c74db703f6c325ca782a915bdd1da53953f001

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ef1e772-8ffc-4b38-b0ff-2c0ce50684a4.vbs

Filesize
714B

MD5
fa055791cf805d3df56f99411d5059b0

SHA1
a5dd08081f5012871148b33198c2b62476e76271

SHA256
a5bf65a5feef34b7872cd38609e174403aea03a1f992901b04e64d41a86bd346

SHA512
41d8eddb2f2333508746ebadacb671482e03637ec1dd1ebbeb14490f8ced45b74627b3f30fa43d61cafdef207244bfa52a27cebd76cea24f3c2c33e2c928b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\704d3c79-1863-4a2b-b16f-ae7c2c51f608.vbs

Filesize
714B

MD5
235bfe8caf8cb04eee1e4323f038d13c

SHA1
6f9e3dc0208d0b3e824475a1b0c1a75ba7b4b9e0

SHA256
5611b0a524ac083f8da3663647f6e7792ee51c5e43a1fe87b0eb350630f6603a

SHA512
b3d59cfee70ede0152bde0c515c0961e19a134d7f850fef5e3e04a79bec06db8a985cded95f36e9331c6083aa73feadebf127e695c012f3bf84a2b35c1b25744

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ULc4Icvci.bat

Filesize
203B

MD5
94ca09cbee4299955e29c30c5aea89e1

SHA1
63c0ae3c3fcb3180e38815aa0721b11896a58e9f

SHA256
69bd35da91ab1194ad9c10741ebcfda24f482dd21a578d5bd53ca881560b5ec2

SHA512
19d76cb724c17e5baa5d7bfa80caa5047fb7bfa5ac6a34df1999a9c606ec8abf7312ff78e5efa2924eebb4487a3e6e2d06763e0f4f6da5a1e00f5ab51bd56b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\981c43e5-3b63-4e4e-bfb0-df3ea275de53.vbs

Filesize
713B

MD5
780d7c10316fa3f83946f2bcd3637419

SHA1
3d1f4b26b5abcb1f3a20365cbef9d743552a6cec

SHA256
accff4729ffcc86c29850c954741a52b1d71d706da607d22ed33631faec1157d

SHA512
4ba8fa04a114172a62dac2562e31ad89ab14d96123322ca17c54bdb64843b5588a1ff0a2b61d09227486d45996ba5dd6e04e8f4791d49550276d6d248c1db708

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d8d4643-e397-4dd9-a85d-eedeff8b8cf5.vbs

Filesize
714B

MD5
d11d8488fb420455eee1a8fdde9fdec6

SHA1
31b4f12578baf4b7f3e2a27aa38f612984b5dfed

SHA256
1c792e16d5b93d7a1d2dcd616ad1c37dc97fe3a025b36fa370cc95a36a835778

SHA512
ed2472507c87a6d5da34d998d427b5205a52f2aa3f8af215602447211fa065426bc9c9eaa7032f0291d4ebaa0bc19f18d6837e827874082b059f261c18f59fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbd1ee9e-1584-4007-ad64-9cef46475f92.vbs

Filesize
714B

MD5
af2e552be61f5fc60a1dc46c277bc896

SHA1
728e69743fb52c8c1c89e863cacc7b7520d87c54

SHA256
3fb4bce950fcbfc5c2fbe92589c066d613a89ad37e3d571c1f843ddfadf7ce90

SHA512
806a6949ea9a1d4a09c968bd37c11a119ba0dd64d81129f624022ab0413bda1e2381cc54c14b586a72aac1b6f6d7861829bfaf3f2128cd27c7a7dac6d64568ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\c647bcf9-425f-4816-84f9-493f54eeadb1.vbs

Filesize
714B

MD5
df0da6108d144920312973c1762b69de

SHA1
1dfb88b29fa060f4f12d9e7961da927f514dd032

SHA256
a3ae4da3b6d7b9908cbe48068d8e19d8916a356c6c47b6317959ca9cad00aa37

SHA512
031582be3c1c3a55c2a4e1876822568e683467626e429ca91dc26a4f57f89eee426d4d001f29c9285504a2f75a3aef77859a8aa9d7d72f13b1435bb08a150a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddeccbf7-291b-446c-a0db-612b243fabda.vbs

Filesize
714B

MD5
9b7c6b9980aaba5a5127c4744876df69

SHA1
18d5f29848de51ea48e4d0b0e6d218cb538762f5

SHA256
fd1bbff69bcd0d37b84524958a147bbd9a47e7562c68ec657cf8c946fdba68f1

SHA512
1ab9c1200515ec45035db416e19c8c18c79343d18122da1bdaae6cdba79f9cd1a9a2b95f319f90c7fb972fd2518bd7a3f79ccf8f9799ed1551c926e4d615d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef696ead-998c-47e8-a824-7e95148b1934.vbs

Filesize
714B

MD5
486a568d963391b307742a81ed723990

SHA1
1259dfb61e9569725df69156ff1b83ffaa8d9ba1

SHA256
5b87e088e9af282341845f004fb73580a742e1d045faa6f4cf0c4f3385fd5ea6

SHA512
3d1406f079c2c09de84ecd14d4d503fb2abc0143808f4c82878067c3d252d9d5b99289f39507fa07fcbd81af8839b3116f51d93cbf8c3b96634edde8a430ab95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
023b99f9bd6a62a170287eb0427b71e4

SHA1
ec940624dddd1ebcfb0382a3e94d344c487ca9cc

SHA256
77b4c1f0d1cdf0fe16df0702ec4fd8a692da426dd31bd04dd96b954843df8ccf

SHA512
821457d6ef6fb352ecc2bf5ea0ab994733334ee61620234da5b9b558b9cd877bf80954dfc8f4428a37def74a1e3a55b8a6b20479ee3a1a064581e3a24e579701

Download Submit
C:\Users\Default\Videos\csrss.exe

Filesize
1.0MB

MD5
80de5279605dda35d99f32d926d6d600

SHA1
4126656e487d6e427a7e279dcae123a36906e2ea

SHA256
99bae4effd7113b7decd48c23ea5cc6626a9b4f222ec9ad862d00a5a03cbb498

SHA512
e328d7e90b57b081a771e969a25cc7f9ec91d62c5ef716bef71861b2dda70779c906f7c76d0403deba25e0650b27467ab719a411c90b4f9f66ef230eb1d7a990

Download Submit
memory/1072-162-0x0000000001350000-0x000000000145E000-memory.dmp

Filesize
1.1MB

Download
memory/1528-117-0x0000000000D20000-0x0000000000E2E000-memory.dmp

Filesize
1.1MB

Download
memory/1872-219-0x00000000001E0000-0x00000000002EE000-memory.dmp

Filesize
1.1MB

Download
memory/2076-72-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2076-71-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2412-150-0x00000000000E0000-0x00000000001EE000-memory.dmp

Filesize
1.1MB

Download
memory/2440-207-0x00000000003C0000-0x00000000004CE000-memory.dmp

Filesize
1.1MB

Download
memory/2512-12-0x0000000002170000-0x000000000217A000-memory.dmp

Filesize
40KB

Download
memory/2512-17-0x000000001A6C0000-0x000000001A6CC000-memory.dmp

Filesize
48KB

Download
memory/2512-66-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-13-0x0000000002180000-0x000000000218E000-memory.dmp

Filesize
56KB

Download
memory/2512-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2512-11-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2512-9-0x00000000020C0000-0x00000000020CC000-memory.dmp

Filesize
48KB

Download
memory/2512-8-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/2512-7-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2512-10-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2512-5-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2512-16-0x000000001A6B0000-0x000000001A6BA000-memory.dmp

Filesize
40KB

Download
memory/2512-6-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2512-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2512-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2512-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-15-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2512-1-0x0000000000300000-0x000000000040E000-memory.dmp

Filesize
1.1MB

Download
memory/2512-14-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download