dcrat | c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Size

4.9MB
MD5

718df7dabb3438f7b1ccc887115b31b2
SHA1

f7282cefb6ffdfb203b69c470b4a6e75f0d9acbe
SHA256

c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54
SHA512

515ff9079f72bb9d2e122b6c8eab7a0796ae8d26b9c5d998371101005cc71ecd2f2cc02a5b9b8f8a3cb287e7c50bf2e89f317378140add8a8d08039a240e5455
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2420	schtasks.exe
		1968	schtasks.exe
		2964	schtasks.exe
		2824	schtasks.exe
		2028	schtasks.exe
File created	C:\Program Files (x86)\Google\CrashReports\7a0fd90576e088		c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
		1704	schtasks.exe
		440	schtasks.exe
		1640	schtasks.exe
		2568	schtasks.exe
		1192	schtasks.exe
		1424	schtasks.exe
		2180	schtasks.exe
		1056	schtasks.exe
		2116	schtasks.exe
		1088	schtasks.exe
		2668	schtasks.exe
		1968	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
		1928	schtasks.exe
		1756	schtasks.exe
File created	C:\Windows\Help\5940a34987c991		c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
		1724	schtasks.exe
		2496	schtasks.exe
		892	schtasks.exe
		2668	schtasks.exe
		3016	schtasks.exe
		1144	schtasks.exe
		1908	schtasks.exe
		680	schtasks.exe
		2268	schtasks.exe
		2884	schtasks.exe
		2872	schtasks.exe
		1264	schtasks.exe
		2628	schtasks.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72		c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Downloaded Program Files\7a0fd90576e088		c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
		1964	schtasks.exe
		2476	schtasks.exe
		2852	schtasks.exe
		2836	schtasks.exe
		2352	schtasks.exe
		856	schtasks.exe
		2716	schtasks.exe
		1480	schtasks.exe
		3052	schtasks.exe
		480	schtasks.exe
		2416	schtasks.exe
		1584	schtasks.exe
		2580	schtasks.exe
		2684	schtasks.exe
		2956	schtasks.exe
		2376	schtasks.exe
		2632	schtasks.exe
		2632	schtasks.exe
		2168	schtasks.exe
		2812	schtasks.exe
		2712	schtasks.exe
		1760	schtasks.exe
		2832	schtasks.exe
		820	schtasks.exe
		2620	schtasks.exe
		2816	schtasks.exe
		1660	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	768	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2384-3-0x000000001B790000-0x000000001B8BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
760	powershell.exe
640	powershell.exe
2388	powershell.exe
860	powershell.exe
1224	powershell.exe
756	powershell.exe
1672	powershell.exe
1588	powershell.exe
1840	powershell.exe
1800	powershell.exe
944	powershell.exe
548	powershell.exe
1084	powershell.exe
2576	powershell.exe
2084	powershell.exe
1748	powershell.exe
1356	powershell.exe
1984	powershell.exe
2272	powershell.exe
1328	powershell.exe
2164	powershell.exe
2072	powershell.exe
2136	powershell.exe
2976	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2696	lsass.exe
704	lsass.exe
2396	lsass.exe
1044	lsass.exe
1680	lsass.exe
2064	lsass.exe
2928	lsass.exe
1840	lsass.exe
2380	lsass.exe
2680	lsass.exe
1696	lsass.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXCAFF.tmp	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Common Files\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\it-IT\conhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\e978f868350d50	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Common Files\6203df4a6bafc7	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\088424020bedd6	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\088424020bedd6	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\explorer.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Google\Update\e978f868350d50	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Google\Update\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\conhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Common Files\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXCD02.tmp	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Common Files\Services\e978f868350d50	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Microsoft.NET\6203df4a6bafc7	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\conhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Google\CrashReports\explorer.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Google\CrashReports\7a0fd90576e088	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files\Common Files\Services\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\conhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Google\Update\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Program Files (x86)\Microsoft.NET\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Program Files\Common Files\Services\powershell.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\7a0fd90576e088	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Help\dllhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\RCXCF07.tmp	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXD30F.tmp	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\lsass.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\6203df4a6bafc7	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\servicing\conhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Help\dllhost.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File created	C:\Windows\Help\5940a34987c991	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Downloaded Program Files\explorer.exe	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
File opened for modification	C:\Windows\Help\RCXD91A.tmp	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2352	schtasks.exe
1480	schtasks.exe
1264	schtasks.exe
2800	schtasks.exe
2268	schtasks.exe
2884	schtasks.exe
1968	schtasks.exe
2632	schtasks.exe
2872	schtasks.exe
2568	schtasks.exe
480	schtasks.exe
440	schtasks.exe
2964	schtasks.exe
2556	schtasks.exe
1640	schtasks.exe
2580	schtasks.exe
1144	schtasks.exe
3016	schtasks.exe
1968	schtasks.exe
1704	schtasks.exe
2116	schtasks.exe
820	schtasks.exe
1088	schtasks.exe
2824	schtasks.exe
2620	schtasks.exe
2812	schtasks.exe
2600	schtasks.exe
2296	schtasks.exe
2424	schtasks.exe
2632	schtasks.exe
2928	schtasks.exe
2416	schtasks.exe
2376	schtasks.exe
1032	schtasks.exe
1908	schtasks.exe
1928	schtasks.exe
1756	schtasks.exe
2936	schtasks.exe
1964	schtasks.exe
1056	schtasks.exe
2496	schtasks.exe
2028	schtasks.exe
2112	schtasks.exe
2832	schtasks.exe
2816	schtasks.exe
1724	schtasks.exe
1760	schtasks.exe
2668	schtasks.exe
2316	schtasks.exe
2956	schtasks.exe
2836	schtasks.exe
2716	schtasks.exe
2476	schtasks.exe
1584	schtasks.exe
1192	schtasks.exe
1424	schtasks.exe
2636	schtasks.exe
2168	schtasks.exe
832	schtasks.exe
3052	schtasks.exe
2712	schtasks.exe
2420	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
1840	powershell.exe
2072	powershell.exe
2084	powershell.exe
1224	powershell.exe
2164	powershell.exe
860	powershell.exe
1748	powershell.exe
1800	powershell.exe
756	powershell.exe
2388	powershell.exe
1588	powershell.exe
1356	powershell.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2696	lsass.exe
Token: SeDebugPrivilege	704	lsass.exe
Token: SeDebugPrivilege	2396	lsass.exe
Token: SeDebugPrivilege	1044	lsass.exe
Token: SeDebugPrivilege	1680	lsass.exe
Token: SeDebugPrivilege	2064	lsass.exe
Token: SeDebugPrivilege	2928	lsass.exe
Token: SeDebugPrivilege	1840	lsass.exe
Token: SeDebugPrivilege	2380	lsass.exe
Token: SeDebugPrivilege	2680	lsass.exe
Token: SeDebugPrivilege	1696	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2084	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	65
PID 2384 wrote to memory of 2084	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	65
PID 2384 wrote to memory of 2084	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	65
PID 2384 wrote to memory of 2072	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	66
PID 2384 wrote to memory of 2072	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	66
PID 2384 wrote to memory of 2072	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	66
PID 2384 wrote to memory of 756	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	68
PID 2384 wrote to memory of 756	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	68
PID 2384 wrote to memory of 756	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	68
PID 2384 wrote to memory of 1224	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	69
PID 2384 wrote to memory of 1224	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	69
PID 2384 wrote to memory of 1224	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	69
PID 2384 wrote to memory of 1748	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	71
PID 2384 wrote to memory of 1748	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	71
PID 2384 wrote to memory of 1748	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	71
PID 2384 wrote to memory of 860	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	73
PID 2384 wrote to memory of 860	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	73
PID 2384 wrote to memory of 860	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	73
PID 2384 wrote to memory of 1800	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	74
PID 2384 wrote to memory of 1800	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	74
PID 2384 wrote to memory of 1800	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	74
PID 2384 wrote to memory of 1840	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	75
PID 2384 wrote to memory of 1840	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	75
PID 2384 wrote to memory of 1840	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	75
PID 2384 wrote to memory of 2388	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	76
PID 2384 wrote to memory of 2388	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	76
PID 2384 wrote to memory of 2388	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	76
PID 2384 wrote to memory of 2164	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	77
PID 2384 wrote to memory of 2164	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	77
PID 2384 wrote to memory of 2164	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	77
PID 2384 wrote to memory of 1588	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	78
PID 2384 wrote to memory of 1588	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	78
PID 2384 wrote to memory of 1588	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	78
PID 2384 wrote to memory of 1356	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	85
PID 2384 wrote to memory of 1356	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	85
PID 2384 wrote to memory of 1356	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	85
PID 2384 wrote to memory of 2596	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	89
PID 2384 wrote to memory of 2596	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	89
PID 2384 wrote to memory of 2596	2384	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	89
PID 2596 wrote to memory of 944	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	129
PID 2596 wrote to memory of 944	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	129
PID 2596 wrote to memory of 944	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	129
PID 2596 wrote to memory of 1984	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	130
PID 2596 wrote to memory of 1984	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	130
PID 2596 wrote to memory of 1984	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	130
PID 2596 wrote to memory of 760	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	131
PID 2596 wrote to memory of 760	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	131
PID 2596 wrote to memory of 760	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	131
PID 2596 wrote to memory of 1672	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	132
PID 2596 wrote to memory of 1672	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	132
PID 2596 wrote to memory of 1672	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	132
PID 2596 wrote to memory of 548	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	133
PID 2596 wrote to memory of 548	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	133
PID 2596 wrote to memory of 548	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	133
PID 2596 wrote to memory of 2136	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	134
PID 2596 wrote to memory of 2136	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	134
PID 2596 wrote to memory of 2136	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	134
PID 2596 wrote to memory of 2976	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	135
PID 2596 wrote to memory of 2976	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	135
PID 2596 wrote to memory of 2976	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	135
PID 2596 wrote to memory of 2272	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	136
PID 2596 wrote to memory of 2272	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	136
PID 2596 wrote to memory of 2272	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	136
PID 2596 wrote to memory of 1084	2596	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe	137

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
"C:\Users\Admin\AppData\Local\Temp\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe
  "C:\Users\Admin\AppData\Local\Temp\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Program Files (x86)\Microsoft.NET\lsass.exe
    "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2696
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7941035-862c-4800-bd5c-8f25398e93f0.vbs"
      4⤵
      PID:2888
    - - C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:704
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca9d1735-cb82-45cb-9c52-0bbb13f209bd.vbs"
        6⤵
        
        PID:1336
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7369894e-004e-44b8-86bc-51208e7a9ec8.vbs"
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7100600d-8d3f-42b9-b829-49a2848cfdf1.vbs"
        10⤵
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db759958-6371-418f-b630-b0f3022c8e3d.vbs"
        12⤵
        
        PID:2700
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db89315a-9ebb-40b8-8e0b-9444f7918e03.vbs"
        14⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211de22c-e075-4ced-b0c4-f5dd2c33d7cc.vbs"
        16⤵
        
        PID:2600
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e50e09-3db4-46b0-8562-930e7b97e75f.vbs"
        18⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d3323ec-7ce8-4228-8f94-f19a89804f22.vbs"
        20⤵
        
        PID:2720
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33362901-fbcb-451b-9298-28386d0abfe8.vbs"
        22⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft.NET\lsass.exe
        
        "C:\Program Files (x86)\Microsoft.NET\lsass.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6221b8e-d3a6-428a-95c1-495113ade615.vbs"
        24⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbedb206-f131-41f3-b163-de7416cdcd5b.vbs"
        24⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b3b73bb-39bf-41ca-b8bc-acbb93e0aa13.vbs"
        22⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac0a0c32-c317-49b0-bb33-08e5ddeb8124.vbs"
        20⤵
        
        PID:596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e54efc-8bc9-43ed-bb73-b9a202f439d4.vbs"
        18⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4a03cec-d632-4a57-bfe0-4a09ce18e261.vbs"
        16⤵
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f539489-c430-4e07-81ae-78db02d94b9a.vbs"
        14⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b348cd50-f930-470f-899d-a89792910be1.vbs"
        12⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4397292a-0c4e-4478-b091-18abd5cc639d.vbs"
        10⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b53a0cf-023c-4465-8642-df112b6c547f.vbs"
        8⤵
        
        PID:2136
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b1650d5-fb9f-4f92-b425-6392dc7cb3f3.vbs"
        6⤵
        
        PID:1628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc51c3c0-480d-425f-a11f-4a93556619d4.vbs"
      4⤵
      PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54c" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54" /sc ONLOGON /tr "'C:\Users\Admin\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54c" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\211de22c-e075-4ced-b0c4-f5dd2c33d7cc.vbs

Filesize
722B

MD5
d934e40f241ce4230f0f928df674eb31

SHA1
ffd491df69bc75ac9041d8bed3497c0f43c35a2e

SHA256
e90b9199920021f8ce8b5c05b5aa112f0c8e55a47849c9b137b55ef2c1ffb525

SHA512
b4e890ad046fd56c6bed6e3ccb42296242a993ad4f8c349c37a2b3940298f847d228ce8095a9fbed1f672831f2b0988291cb9cabee6a57a993b407908b68ade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\47e50e09-3db4-46b0-8562-930e7b97e75f.vbs

Filesize
722B

MD5
9231545143c57cd2bbb8937655c5742e

SHA1
edf271e32409d9dfbbb56aaec26b1d3912fe86bc

SHA256
5a7ad1df4596a4a38b051c916fa0bfea89f4a267969650b5494c2c50c1cbf9a8

SHA512
4662807be03e868bba40c0cb4165e4ede7f115ddb327b37c82124071dca499fad09453466f115e95608611fcc870a5392e5224b94674428806f803cc0ff0ce07

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d3323ec-7ce8-4228-8f94-f19a89804f22.vbs

Filesize
722B

MD5
5bd63fc6e78e1e9031e56190d1001417

SHA1
0870d224cb4d0f8473fa6c34d707dbbbdea9102f

SHA256
4a576b09b8918c9f2b9d9a442f61930a1a880fa7f44f6e888b259fd63d01551c

SHA512
c2240a8215d8b9d626bb44c45f9b771d79bccee516d1ec2c4bc0b5a262f5f261af46af2cdd4726b17bd7165a3511be17d05913d64f9c5f97adddd4cf1e6924b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7100600d-8d3f-42b9-b829-49a2848cfdf1.vbs

Filesize
722B

MD5
25a533af33ac24f374d1504b19e8bed8

SHA1
2075fb20ae92654709384c1867375c75cc9cf05e

SHA256
8d18cac445b331dd1ccd52f4b67cfcf796314b07daec1ab80634dfbaf4cd02c3

SHA512
feaf062bf39c1822da42db4049b3f3d56ea7eebf69ef82a96c59f1285a7e93460dde3faa156df11df0f8043232085625d61387369b4341919092bdc7c0328206

Download Submit
C:\Users\Admin\AppData\Local\Temp\7369894e-004e-44b8-86bc-51208e7a9ec8.vbs

Filesize
722B

MD5
8fe4b689d710cc23fcec1aad17c1a505

SHA1
74f48af8dda0736f861f3f6220b1084ea9313481

SHA256
015dc1f738c0f50cc783d1657075182d2ae75d12d4183ab65f4fa24f82ad1cc5

SHA512
91165f0004a2de44e5ad5d6b735cbef505990897ce2937c39e2a8e9366fe384a798130c9f81fe08dd7acc3bf350ffc69de252da4d7e9e85b7f9f0201774c01de

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc51c3c0-480d-425f-a11f-4a93556619d4.vbs

Filesize
498B

MD5
d8cd72201bd8129a803cbef19c695ca1

SHA1
e769e54f74ee41ddb65683eedb156b2d10ca584b

SHA256
e140aff5ec102c0df5d189e53764b6e3c8a4effbd7ce177ea4edc69c22b69b52

SHA512
a0b8b567bc639e1dd29fe17e98bcd3612747afea13733ab5c0dd26a87e9c8d1a13c6ff13873f2bc0f475a2aca7f6840d9a091c21d11dcd1a4fe040a70d7aece0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca9d1735-cb82-45cb-9c52-0bbb13f209bd.vbs

Filesize
721B

MD5
2c6fe7672621dc503d55937424e488db

SHA1
13a1a914ecccc6b1e8903e3f264c0f00adcb8f1c

SHA256
3b1dec3d3d8ab884054eb0832fbc1a5dd2f05aef3ba5b6fe03e6ce13bd483374

SHA512
4b7f0f4811cafad2d09d342b177b2cf9b883559b3d0ab7d6caf0725c9bd30c968dd108e500185e93913b1d56478b18f6685ca7d405d213ff3bdddfd45688cb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\db759958-6371-418f-b630-b0f3022c8e3d.vbs

Filesize
722B

MD5
007dccd4021a2ec2900a9c4f2993355a

SHA1
cf39a461b516cb90ff35df7b14d7a1b00884646b

SHA256
1dbd2cf186ebf31a2465f3fcc0a3dc384bac2aa057be9ef181104d4f0d4c4db3

SHA512
b52e4482ad9274f44ab9a9c1fdcb59b78e6ebb532d6db81f9332ceacee318b029131114f39d8a7a24d21530828d6551506d50c06c889546462a26f15bbb4dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\db89315a-9ebb-40b8-8e0b-9444f7918e03.vbs

Filesize
722B

MD5
32c2860935e7737329ac45fee5d5a6ca

SHA1
54754dcc9b788e839f6c3489a93e989f0b4b3ae7

SHA256
dbe63eb6d5d863fb6ef687f220b22eba46f1d467ea4a085a308f1be4cf9809eb

SHA512
718d0c9d89e9a0547e17bfb542420f2d9a1c157ea0983064d687d71d598bb197ad59b32be6d2020c8342b01b419a2a59b85a4844970a9605417d316f513df4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7941035-862c-4800-bd5c-8f25398e93f0.vbs

Filesize
722B

MD5
7571db4b252ebe04f2806188fd289b22

SHA1
8ec9222b1fa3e429764b46b60755b7b712649adc

SHA256
8fbbf7a5c8668e8677647dedbc9e90dec5542ef405aa2a2cf30d966e6f31c91a

SHA512
047bfb58e3ea6e39acbfd9d29abab9e7d7c983a278d673dc62d2ffb8d1499eb8faa1b220571339a25220fad39b8271a0ac033d17d118cb421b27a1f758ca1dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF8D.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ebe8f5b70f2685d4f56ec8a973509a9

SHA1
ce300d8945abe98bb6955e6bee880f727494f577

SHA256
edeee7102864fcc509ec534df5aee9438936320b7e44ae6e3eefaf7a92406b0b

SHA512
14fe57e53d5a624cbb8e5d5b1700f311ce4c066f395eb3ca6963ac4b4012bb14bdf2e5c2e4d49380eec05c6e569971fa51ee464006ca6eea9b10c4c9543744ca

Download Submit
C:\Users\Public\Libraries\taskhost.exe

Filesize
4.9MB

MD5
718df7dabb3438f7b1ccc887115b31b2

SHA1
f7282cefb6ffdfb203b69c470b4a6e75f0d9acbe

SHA256
c951acbf8607c1793e33f2f5daff65d25222988f14ab250bed9b6c884083df54

SHA512
515ff9079f72bb9d2e122b6c8eab7a0796ae8d26b9c5d998371101005cc71ecd2f2cc02a5b9b8f8a3cb287e7c50bf2e89f317378140add8a8d08039a240e5455

Download Submit
memory/704-322-0x0000000000F60000-0x0000000001454000-memory.dmp

Filesize
5.0MB

Download
memory/1044-352-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/1680-367-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/1696-454-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1696-453-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/1840-413-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/1984-253-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/1984-252-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2064-383-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2064-382-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/2072-131-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2072-146-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2380-428-0x0000000000090000-0x0000000000584000-memory.dmp

Filesize
5.0MB

Download
memory/2384-1-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/2384-6-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2384-16-0x00000000026D0000-0x00000000026DC000-memory.dmp

Filesize
48KB

Download
memory/2384-14-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2384-15-0x00000000026C0000-0x00000000026C8000-memory.dmp

Filesize
32KB

Download
memory/2384-13-0x0000000002510000-0x000000000251E000-memory.dmp

Filesize
56KB

Download
memory/2384-3-0x000000001B790000-0x000000001B8BE000-memory.dmp

Filesize
1.2MB

Download
memory/2384-12-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/2384-11-0x00000000024F0000-0x00000000024FA000-memory.dmp

Filesize
40KB

Download
memory/2384-10-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2384-9-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2384-8-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2384-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

Filesize
4KB

Download
memory/2384-168-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-7-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/2384-2-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-4-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/2384-5-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2396-337-0x0000000000FE0000-0x00000000014D4000-memory.dmp

Filesize
5.0MB

Download
memory/2596-185-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2680-442-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2696-308-0x000000001B1D0000-0x000000001B1E2000-memory.dmp

Filesize
72KB

Download
memory/2696-277-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/2928-398-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download