dcrat | 0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Size

2.7MB
MD5

998c94eae1bc93bee0f180c355a01bbd
SHA1

8bec6f30ced392705452a00f290930d2d721d596
SHA256

0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae
SHA512

b9569f5d405bae77de2aaaf08d68a4971cb45f7c4786d8999ed4666e8cc70acca015aa8d6674fb356cc76741be3c532f86d5b2b753ceaeb91c315fe2ef5560e2
SSDEEP

49152:sDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:N4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		644	schtasks.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\ea9f0e6c9e2dcd		0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
		1516	schtasks.exe
		4072	schtasks.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\121e5b5079f7c0		0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
		3232	schtasks.exe
		3080	schtasks.exe
		1752	schtasks.exe
		2216	schtasks.exe
		4484	schtasks.exe
		4936	schtasks.exe
		4684	schtasks.exe
		1556	schtasks.exe
		4524	schtasks.exe
		3316	schtasks.exe
		1672	schtasks.exe
		3384	schtasks.exe
		2616	schtasks.exe
		3440	schtasks.exe
		4500	schtasks.exe
		1396	schtasks.exe
		4976	schtasks.exe
		3256	schtasks.exe
		1764	schtasks.exe
		1020	schtasks.exe
		3148	schtasks.exe
		1324	schtasks.exe
		4524	schtasks.exe
		1216	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
		4988	schtasks.exe
		776	schtasks.exe
		2772	schtasks.exe
		1540	schtasks.exe
		4128	schtasks.exe
File created	C:\Program Files\Crashpad\attachments\ea9f0e6c9e2dcd		0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
		2052	schtasks.exe
		1952	schtasks.exe
		2936	schtasks.exe
		5004	schtasks.exe
		892	schtasks.exe
		2076	schtasks.exe
		4420	schtasks.exe
		3316	schtasks.exe
		3208	schtasks.exe
		4492	schtasks.exe
		316	schtasks.exe
		4512	schtasks.exe
		1780	schtasks.exe
		5008	schtasks.exe
		4492	schtasks.exe
		780	schtasks.exe
		1920	schtasks.exe
File created	C:\Program Files\Windows Media Player\ja-JP\e6c9b481da804f		0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
		4552	schtasks.exe
		2256	schtasks.exe
		1504	schtasks.exe
		3312	schtasks.exe
		632	schtasks.exe
		2628	schtasks.exe
		2376	schtasks.exe
		4328	schtasks.exe
		1168	schtasks.exe
		4068	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4560	schtasks.exe	82

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3004-1-0x0000000000F80000-0x0000000001234000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b8c-30.dat	dcrat
behavioral2/files/0x000b000000023b87-102.dat	dcrat
behavioral2/files/0x000b000000023b98-148.dat	dcrat
behavioral2/files/0x000d000000023b9b-159.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
336	dllhost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Crashpad\attachments\taskhostw.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Crashpad\attachments\ea9f0e6c9e2dcd	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Microsoft Office 15\9e8d7a4ca61bd9	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows Media Player\ja-JP\e6c9b481da804f	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Internet Explorer\c5b4cb5e9653cc	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows Portable Devices\5b884080fd4f94	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\121e5b5079f7c0	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Crashpad\attachments\taskhostw.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\sysmon.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCX9E33.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX9A09.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\OfficeClickToRun.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6ccacd8608530f	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\55b276f4edf653	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6ccacd8608530f	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX96F8.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows NT\Accessories\services.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX92CE.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Internet Explorer\services.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCX9E32.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows NT\Accessories\c5b4cb5e9653cc	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Common Files\Oracle\dllhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Common Files\Oracle\5940a34987c991	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX92DF.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX94E4.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX9709.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\68e3874a9365ed	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\dllhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\services.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Internet Explorer\services.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\sysmon.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Program Files\Windows Media Player\ja-JP\OfficeClickToRun.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX94E3.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX998B.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\taskhostw.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\RCXA2DA.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\Tasks\OfficeClickToRun.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\ea9f0e6c9e2dcd	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\Branding\Basebrd\es-ES\66fc9ff0ee96c2	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\RCXA048.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\CbsTemp\dllhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\RCXA047.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\RCXA358.tmp	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\CbsTemp\5940a34987c991	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\LiveKernelReports\WmiPrvSE.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\taskhostw.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\servicing\StartMenuExperienceHost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\Tasks\e6c9b481da804f	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\LiveKernelReports\WmiPrvSE.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\LiveKernelReports\24dbde2999530e	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\Tasks\OfficeClickToRun.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\Branding\Basebrd\es-ES\sihost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\sihost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
File created	C:\Windows\CbsTemp\dllhost.exe	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4420	schtasks.exe
748	schtasks.exe
4552	schtasks.exe
3080	schtasks.exe
100	schtasks.exe
1700	schtasks.exe
5008	schtasks.exe
4064	schtasks.exe
2968	schtasks.exe
2052	schtasks.exe
2256	schtasks.exe
2376	schtasks.exe
1168	schtasks.exe
4484	schtasks.exe
1116	schtasks.exe
2772	schtasks.exe
3232	schtasks.exe
4884	schtasks.exe
892	schtasks.exe
1752	schtasks.exe
536	schtasks.exe
1780	schtasks.exe
3148	schtasks.exe
4072	schtasks.exe
2248	schtasks.exe
316	schtasks.exe
3440	schtasks.exe
2076	schtasks.exe
4128	schtasks.exe
1396	schtasks.exe
644	schtasks.exe
1656	schtasks.exe
3256	schtasks.exe
2936	schtasks.exe
4512	schtasks.exe
1504	schtasks.exe
1764	schtasks.exe
2876	schtasks.exe
628	schtasks.exe
3496	schtasks.exe
3548	schtasks.exe
1540	schtasks.exe
1556	schtasks.exe
3316	schtasks.exe
1216	schtasks.exe
4524	schtasks.exe
780	schtasks.exe
4976	schtasks.exe
1524	schtasks.exe
4684	schtasks.exe
1516	schtasks.exe
2884	schtasks.exe
4784	schtasks.exe
1324	schtasks.exe
1952	schtasks.exe
1672	schtasks.exe
3712	schtasks.exe
632	schtasks.exe
1752	schtasks.exe
1020	schtasks.exe
776	schtasks.exe
3312	schtasks.exe
3224	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
336	dllhost.exe
336	dllhost.exe
336	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
336	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Token: SeDebugPrivilege	2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Token: SeDebugPrivilege	336	dllhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4344	3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	118
PID 3004 wrote to memory of 4344	3004	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	118
PID 4344 wrote to memory of 3280	4344	cmd.exe	120
PID 4344 wrote to memory of 3280	4344	cmd.exe	120
PID 4344 wrote to memory of 2884	4344	cmd.exe	123
PID 4344 wrote to memory of 2884	4344	cmd.exe	123
PID 2884 wrote to memory of 336	2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	178
PID 2884 wrote to memory of 336	2884	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe	178

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
"C:\Users\Admin\AppData\Local\Temp\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe
    "C:\Users\Admin\AppData\Local\Temp\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2884
  - - C:\Windows\CbsTemp\dllhost.exe
      "C:\Windows\CbsTemp\dllhost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\es-ES\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\es-ES\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\es-ES\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae0" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae0" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae0" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae0" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\_AE433EA7-2986-4221-975E-E1E936E8A977\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\_AE433EA7-2986-4221-975E-E1E936E8A977\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\_AE433EA7-2986-4221-975E-E1E936E8A977\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\dllhost.exe'" /f
1⤵
- DcRat
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Tasks\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\USOShared\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /f
1⤵
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe

Filesize
2.7MB

MD5
998c94eae1bc93bee0f180c355a01bbd

SHA1
8bec6f30ced392705452a00f290930d2d721d596

SHA256
0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae

SHA512
b9569f5d405bae77de2aaaf08d68a4971cb45f7c4786d8999ed4666e8cc70acca015aa8d6674fb356cc76741be3c532f86d5b2b753ceaeb91c315fe2ef5560e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe

Filesize
2.7MB

MD5
6c965ce1e64e1fdd1115a7f68d3b5745

SHA1
02e11181830cde88de0c7b3193b4adf0b51ded39

SHA256
514a4312530faecff162f6cd38930cf36aeb546950e6e7c318019b81fbd69fc1

SHA512
9cdb9337d85744fed64433f4992ae08125d7860303e29ac534f6176de88fb0626d0bfaaabab6747b83b86d19259a28033eab70372c13ae76693390a75c656647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0bc818b4d36da5b093c5ab3c63ec76e9b7d8526ef3d80ecfabcabca8ad00daae.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat

Filesize
267B

MD5
baea84870c3f81cbaf715a291b5e0aa1

SHA1
5e50d88a2ced30cc010c07ae1a5e046f9124bdc6

SHA256
a00b980e3c01118e1ae573c0b2e0d35326e0425221ad431c8a19f623ae0a4fba

SHA512
377e730b9eaf46fe7b5ef0dc9675d83d5b8d139ee1667a868650d4c2ebf99d840873eac778e546ffdde6dbc8210e903be1439539004335fd7d1062001ab1db2e

Download Submit
C:\Users\Admin\Videos\dllhost.exe

Filesize
2.7MB

MD5
304110a3097e19041795c0550f4454d3

SHA1
75585f43b2ed349c4ec6e85f6be6c60a17f65a3a

SHA256
2bfed9138d7d86ae789dd43095e673f218c67bc39fe03034c948e3ac3428e9be

SHA512
9ebd80424393af3deabbb50de07372f5a14bf683a837ac1799e0a78319fc8a781d8d8b0a7a89d9dd6effc12b29e1b3bc1140a4b39ec6392b6e8aeff83a36b699

Download Submit
C:\Windows\Branding\Basebrd\es-ES\sihost.exe

Filesize
2.7MB

MD5
6cdfd625c130092ee3ee58ebfca14965

SHA1
ed67f5e88bf043bcabdd92c9d039a3d7ea943d3c

SHA256
9bc43efa9666b7edc41e4b4c2fd9cdc3578fa2f40d8908f22318f1d19ed18be4

SHA512
72fb9456798ad0b277bd066f5de836d9e006e2d4e052a6b7b63a988a86732bd9912d4483f3cca20c8092c50e6a042b4efbd6a53a5efe172c332d730b68493fa8

Download Submit
memory/336-278-0x000000001B230000-0x000000001B242000-memory.dmp

Filesize
72KB

Download
memory/3004-14-0x000000001CAF0000-0x000000001D018000-memory.dmp

Filesize
5.2MB

Download
memory/3004-18-0x000000001C5E0000-0x000000001C5EE000-memory.dmp

Filesize
56KB

Download
memory/3004-9-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/3004-10-0x000000001BDB0000-0x000000001BDBA000-memory.dmp

Filesize
40KB

Download
memory/3004-11-0x000000001C550000-0x000000001C5A6000-memory.dmp

Filesize
344KB

Download
memory/3004-12-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

Filesize
32KB

Download
memory/3004-13-0x000000001BDD0000-0x000000001BDE2000-memory.dmp

Filesize
72KB

Download
memory/3004-0-0x00007FFEC6143000-0x00007FFEC6145000-memory.dmp

Filesize
8KB

Download
memory/3004-15-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

Filesize
32KB

Download
memory/3004-16-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

Filesize
32KB

Download
memory/3004-17-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/3004-8-0x000000001BD80000-0x000000001BD96000-memory.dmp

Filesize
88KB

Download
memory/3004-19-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

Filesize
48KB

Download
memory/3004-20-0x000000001C600000-0x000000001C60A000-memory.dmp

Filesize
40KB

Download
memory/3004-21-0x000000001C610000-0x000000001C61C000-memory.dmp

Filesize
48KB

Download
memory/3004-6-0x0000000003380000-0x0000000003388000-memory.dmp

Filesize
32KB

Download
memory/3004-7-0x000000001BD70000-0x000000001BD80000-memory.dmp

Filesize
64KB

Download
memory/3004-5-0x000000001C500000-0x000000001C550000-memory.dmp

Filesize
320KB

Download
memory/3004-4-0x0000000003360000-0x000000000337C000-memory.dmp

Filesize
112KB

Download
memory/3004-168-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/3004-3-0x0000000003300000-0x000000000330E000-memory.dmp

Filesize
56KB

Download
memory/3004-2-0x00007FFEC6140000-0x00007FFEC6C01000-memory.dmp

Filesize
10.8MB

Download
memory/3004-1-0x0000000000F80000-0x0000000001234000-memory.dmp

Filesize
2.7MB

Download