dcrat | 6956fe608e1cbcac4888a11b3a9815451289a38bb3fdb82c29f8f8ad593b209d

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	csrss.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	csrss.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Documents and Settings\\OSPPSVC.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\NlsLexicons0009\\dllhost.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\hdwwiz\\services.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\C_21025\\csrss.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Desktop\\sppsvc.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\sdchange\\lsm.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\NlsData0020\\wininit.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wsock32\\wininit.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\KBDTURME\\csrss.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Uninstall Information\\services.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\devmgr\\winlogon.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\drt\\lsm.exe\""	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NlsLexicons0009\5940a34987c99120d96dace90a3f93f329dcad63	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\C_21025\csrss.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsock32\wininit.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drt\101b941d020240259ca4912829b53995ad543df6	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drt\lsm.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NlsLexicons0009\dllhost.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsock32\560854153607923c4c5f107085a7db67be01f252	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange\lsm.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons0009\dllhost.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\C_21025\886983d96e3d3e31032c679b2d4ea91b6c05afef	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KBDTURME\csrss.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NlsData0020\wininit.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\devmgr\winlogon.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\devmgr\cc11b995f2a76da408ea6a601e682e64743153ad	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NlsData0020\560854153607923c4c5f107085a7db67be01f252	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz\services.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KBDTURME\886983d96e3d3e31032c679b2d4ea91b6c05afef	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange\101b941d020240259ca4912829b53995ad543df6	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
1564	csrss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\services.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e31032c679b2d4ea91b6c05afef	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2136	schtasks.exe
2664	schtasks.exe
2860	schtasks.exe
2888	schtasks.exe
1056	schtasks.exe
1460	schtasks.exe
764	schtasks.exe
1940	schtasks.exe
2896	schtasks.exe
2644	schtasks.exe
2752	schtasks.exe
1332	schtasks.exe
2784	schtasks.exe
2864	schtasks.exe
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
1564	csrss.exe
1564	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Token: SeDebugPrivilege	1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
Token: SeDebugPrivilege	1564	csrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2564	2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2564	2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2564	2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2564	2092	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	40
PID 2564 wrote to memory of 2636	2564	cmd.exe	42
PID 2564 wrote to memory of 2636	2564	cmd.exe	42
PID 2564 wrote to memory of 2636	2564	cmd.exe	42
PID 2564 wrote to memory of 2636	2564	cmd.exe	42
PID 2564 wrote to memory of 1724	2564	cmd.exe	43
PID 2564 wrote to memory of 1724	2564	cmd.exe	43
PID 2564 wrote to memory of 1724	2564	cmd.exe	43
PID 2564 wrote to memory of 1724	2564	cmd.exe	43
PID 1724 wrote to memory of 3048	1724	w32tm.exe	44
PID 1724 wrote to memory of 3048	1724	w32tm.exe	44
PID 1724 wrote to memory of 3048	1724	w32tm.exe	44
PID 1724 wrote to memory of 3048	1724	w32tm.exe	44
PID 2564 wrote to memory of 1392	2564	cmd.exe	45
PID 2564 wrote to memory of 1392	2564	cmd.exe	45
PID 2564 wrote to memory of 1392	2564	cmd.exe	45
PID 2564 wrote to memory of 1392	2564	cmd.exe	45
PID 1392 wrote to memory of 2908	1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	53
PID 1392 wrote to memory of 2908	1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	53
PID 1392 wrote to memory of 2908	1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	53
PID 1392 wrote to memory of 2908	1392	d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe	53
PID 2908 wrote to memory of 3044	2908	cmd.exe	55
PID 2908 wrote to memory of 3044	2908	cmd.exe	55
PID 2908 wrote to memory of 3044	2908	cmd.exe	55
PID 2908 wrote to memory of 3044	2908	cmd.exe	55
PID 2908 wrote to memory of 2912	2908	cmd.exe	56
PID 2908 wrote to memory of 2912	2908	cmd.exe	56
PID 2908 wrote to memory of 2912	2908	cmd.exe	56
PID 2908 wrote to memory of 2912	2908	cmd.exe	56
PID 2912 wrote to memory of 2900	2912	w32tm.exe	57
PID 2912 wrote to memory of 2900	2912	w32tm.exe	57
PID 2912 wrote to memory of 2900	2912	w32tm.exe	57
PID 2912 wrote to memory of 2900	2912	w32tm.exe	57
PID 2908 wrote to memory of 1564	2908	cmd.exe	58
PID 2908 wrote to memory of 1564	2908	cmd.exe	58
PID 2908 wrote to memory of 1564	2908	cmd.exe	58
PID 2908 wrote to memory of 1564	2908	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe"
1⤵
- DcRat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmVNgH5KgI.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d19220e738ca3bae030183e83544aebc_JaffaCakes118.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTYscXymvp.bat"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\C_21025\csrss.exe
        
        "C:\Windows\System32\C_21025\csrss.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\sdchange\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\drt\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\devmgr\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Documents and Settings\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0020\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0009\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\hdwwiz\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\C_21025\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wsock32\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\KBDTURME\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion