dcrat | 70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a186984a7cc6c1fd4317dffed3a78e.exe
Size

5.9MB
MD5

11a186984a7cc6c1fd4317dffed3a78e
SHA1

d31fb2b589d256066864e0440a89016b1faf1ef6
SHA256

4d29cffe0e740e46838c1497e7988b857b5b124b64d9788fffcd8ae35b36d23b
SHA512

b624b6326300e95dc2fb6867ac8cc3614fddcadfabb5dcc7949546bd4454b1df1be15b468c5e8e208d74e3b7ad69e4f7a820e942f1683fc012535d8edc23a1fc
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4m:hyeU11Rvqmu8TWKnF6N/1wb

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2316	schtasks.exe
		2152	schtasks.exe
		2508	schtasks.exe
		3064	schtasks.exe
		876	schtasks.exe
		2468	schtasks.exe
		2332	schtasks.exe
		1912	schtasks.exe
		2624	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792		11a186984a7cc6c1fd4317dffed3a78e.exe
		1704	schtasks.exe
		1888	schtasks.exe
		2804	schtasks.exe
		2124	schtasks.exe
		2360	schtasks.exe
		1960	schtasks.exe
		1580	schtasks.exe
		2972	schtasks.exe
		2092	schtasks.exe
		1644	schtasks.exe
		1892	schtasks.exe
		1244	schtasks.exe
		2168	schtasks.exe
		1516	schtasks.exe
		2004	schtasks.exe
File created	C:\Program Files (x86)\Common Files\Services\6ccacd8608530f		11a186984a7cc6c1fd4317dffed3a78e.exe
		2284	schtasks.exe
		2388	schtasks.exe
		2772	schtasks.exe
		3032	schtasks.exe
		1712	schtasks.exe
		1244	schtasks.exe
		2736	schtasks.exe
		1228	schtasks.exe
		1444	schtasks.exe
File created	C:\Program Files\Java\jre7\8e42dea273a87f		11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b		11a186984a7cc6c1fd4317dffed3a78e.exe
		1980	schtasks.exe
		3008	schtasks.exe
		2988	schtasks.exe
		2304	schtasks.exe
		2524	schtasks.exe
		1096	schtasks.exe
		2980	schtasks.exe
		1884	schtasks.exe
		2600	schtasks.exe
		864	schtasks.exe
		596	schtasks.exe
		2108	schtasks.exe
File created	C:\Program Files\VideoLAN\VLC\cc11b995f2a76d		11a186984a7cc6c1fd4317dffed3a78e.exe
		1496	schtasks.exe
		2920	schtasks.exe
		2500	schtasks.exe
		1716	schtasks.exe
		2016	schtasks.exe
		2880	schtasks.exe
		2168	schtasks.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\6203df4a6bafc7		11a186984a7cc6c1fd4317dffed3a78e.exe
		2268	schtasks.exe
		3040	schtasks.exe
		444	schtasks.exe
		1344	schtasks.exe
		1812	schtasks.exe
		1720	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	792	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	792	schtasks.exe	30

UAC bypass 3 TTPs 18 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
2432	powershell.exe
1392	powershell.exe
996	powershell.exe
2824	powershell.exe
2212	powershell.exe
1312	powershell.exe
892	powershell.exe
1896	powershell.exe
2348	powershell.exe
2976	powershell.exe
2248	powershell.exe
1936	powershell.exe
2732	powershell.exe
2628	powershell.exe
2268	powershell.exe
1312	powershell.exe
1628	powershell.exe
2156	powershell.exe
1588	powershell.exe
2472	powershell.exe
2328	powershell.exe
896	powershell.exe
2192	powershell.exe
2200	powershell.exe
1872	powershell.exe
2892	powershell.exe
2268	powershell.exe
2040	powershell.exe
3028	powershell.exe
1584	powershell.exe
1896	powershell.exe
1804	powershell.exe
1080	powershell.exe
1764	powershell.exe
2384	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	11a186984a7cc6c1fd4317dffed3a78e.exe

Executes dropped EXE 5 IoCs

pid	Process
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
1272	11a186984a7cc6c1fd4317dffed3a78e.exe
2984	WMIADAP.exe
2604	WMIADAP.exe
308	WMIADAP.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
1272	11a186984a7cc6c1fd4317dffed3a78e.exe
1272	11a186984a7cc6c1fd4317dffed3a78e.exe
2984	WMIADAP.exe
2984	WMIADAP.exe
2604	WMIADAP.exe
2604	WMIADAP.exe
308	WMIADAP.exe
308	WMIADAP.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\lsm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Internet Explorer\f3b6ecef712a24	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCX87BE.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Java\jre7\11a186984a7cc6c1fd4317dffed3a78e.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX8328.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Java\jre7\8e42dea273a87f	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Internet Explorer\spoolsv.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\VideoLAN\VLC\cc11b995f2a76d	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX8339.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCX87CF.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\MSBuild\lsm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Java\jre7\11a186984a7cc6c1fd4317dffed3a78e.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Java\jre7\RCX8C64.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\Idle.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Internet Explorer\spoolsv.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX9408.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX9418.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Reference Assemblies\wininit.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\DVD Maker\fr-FR\75a57c1bdf437c	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX8EE5.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\VideoLAN\VLC\winlogon.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Common Files\Services\6ccacd8608530f	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\6203df4a6bafc7	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX9197.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\6cb0b6c459d5d3	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Reference Assemblies\56085415360792	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\wininit.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Common Files\Services\Idle.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Java\jre7\RCX8C74.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX8F73.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX9186.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\winlogon.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\dwm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\MSBuild\101b941d020240	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\dwm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DigitalLocker\es-ES\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\Cursors\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\DigitalLocker\es-ES\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\Vss\Writers\audiodg.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\Vss\Writers\audiodg.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\tracing\services.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\tracing\c5b4cb5e9653cc	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\tracing\services.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\DigitalLocker\es-ES\69ddcba757bf72	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\TAPI\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\TAPI\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\TAPI\69ddcba757bf72	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\TAPI\RCX80A7.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\TAPI\RCX80F6.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\Vss\Writers\RCX89E2.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\Vss\Writers\42af1c969fbb7b	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\Vss\Writers\RCX8A50.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Windows\Cursors\69ddcba757bf72	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Windows\Cursors\smss.exe	11a186984a7cc6c1fd4317dffed3a78e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe
1444	schtasks.exe
1940	schtasks.exe
1200	schtasks.exe
3064	schtasks.exe
864	schtasks.exe
3008	schtasks.exe
1880	schtasks.exe
1496	schtasks.exe
1980	schtasks.exe
2000	schtasks.exe
1644	schtasks.exe
2996	schtasks.exe
1516	schtasks.exe
2596	schtasks.exe
2772	schtasks.exe
1744	schtasks.exe
876	schtasks.exe
1244	schtasks.exe
3040	schtasks.exe
444	schtasks.exe
1480	schtasks.exe
1160	schtasks.exe
1500	schtasks.exe
2308	schtasks.exe
2548	schtasks.exe
1056	schtasks.exe
2316	schtasks.exe
3032	schtasks.exe
2152	schtasks.exe
3032	schtasks.exe
2468	schtasks.exe
2304	schtasks.exe
1912	schtasks.exe
2972	schtasks.exe
2016	schtasks.exe
1312	schtasks.exe
1868	schtasks.exe
1888	schtasks.exe
1820	schtasks.exe
2936	schtasks.exe
2500	schtasks.exe
2092	schtasks.exe
2268	schtasks.exe
2460	schtasks.exe
2168	schtasks.exe
2004	schtasks.exe
2988	schtasks.exe
2372	schtasks.exe
596	schtasks.exe
2980	schtasks.exe
1420	schtasks.exe
2172	schtasks.exe
1704	schtasks.exe
1892	schtasks.exe
2476	schtasks.exe
2264	schtasks.exe
1884	schtasks.exe
1096	schtasks.exe
2804	schtasks.exe
2360	schtasks.exe
1596	schtasks.exe
2624	schtasks.exe
2464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2848	11a186984a7cc6c1fd4317dffed3a78e.exe
2732	powershell.exe
2472	powershell.exe
1872	powershell.exe
2248	powershell.exe
896	powershell.exe
892	powershell.exe
1588	powershell.exe
1584	powershell.exe
2200	powershell.exe
2192	powershell.exe
2824	powershell.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe
2504	11a186984a7cc6c1fd4317dffed3a78e.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	11a186984a7cc6c1fd4317dffed3a78e.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2504	11a186984a7cc6c1fd4317dffed3a78e.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1272	11a186984a7cc6c1fd4317dffed3a78e.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2984	WMIADAP.exe
Token: SeDebugPrivilege	2604	WMIADAP.exe
Token: SeDebugPrivilege	308	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	58
PID 2848 wrote to memory of 896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	58
PID 2848 wrote to memory of 896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	58
PID 2848 wrote to memory of 892	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	59
PID 2848 wrote to memory of 892	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	59
PID 2848 wrote to memory of 892	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	59
PID 2848 wrote to memory of 1872	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	61
PID 2848 wrote to memory of 1872	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	61
PID 2848 wrote to memory of 1872	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	61
PID 2848 wrote to memory of 2472	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	63
PID 2848 wrote to memory of 2472	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	63
PID 2848 wrote to memory of 2472	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	63
PID 2848 wrote to memory of 1896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	64
PID 2848 wrote to memory of 1896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	64
PID 2848 wrote to memory of 1896	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	64
PID 2848 wrote to memory of 1588	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	65
PID 2848 wrote to memory of 1588	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	65
PID 2848 wrote to memory of 1588	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	65
PID 2848 wrote to memory of 2200	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	66
PID 2848 wrote to memory of 2200	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	66
PID 2848 wrote to memory of 2200	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	66
PID 2848 wrote to memory of 2824	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	67
PID 2848 wrote to memory of 2824	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	67
PID 2848 wrote to memory of 2824	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	67
PID 2848 wrote to memory of 1584	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	68
PID 2848 wrote to memory of 1584	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	68
PID 2848 wrote to memory of 1584	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	68
PID 2848 wrote to memory of 2192	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	69
PID 2848 wrote to memory of 2192	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	69
PID 2848 wrote to memory of 2192	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	69
PID 2848 wrote to memory of 2248	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	70
PID 2848 wrote to memory of 2248	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	70
PID 2848 wrote to memory of 2248	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	70
PID 2848 wrote to memory of 2732	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	71
PID 2848 wrote to memory of 2732	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	71
PID 2848 wrote to memory of 2732	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	71
PID 2848 wrote to memory of 2504	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	82
PID 2848 wrote to memory of 2504	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	82
PID 2848 wrote to memory of 2504	2848	11a186984a7cc6c1fd4317dffed3a78e.exe	82
PID 2504 wrote to memory of 2348	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	139
PID 2504 wrote to memory of 2348	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	139
PID 2504 wrote to memory of 2348	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	139
PID 2504 wrote to memory of 2384	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	140
PID 2504 wrote to memory of 2384	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	140
PID 2504 wrote to memory of 2384	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	140
PID 2504 wrote to memory of 1312	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	141
PID 2504 wrote to memory of 1312	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	141
PID 2504 wrote to memory of 1312	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	141
PID 2504 wrote to memory of 2328	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	143
PID 2504 wrote to memory of 2328	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	143
PID 2504 wrote to memory of 2328	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	143
PID 2504 wrote to memory of 2212	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	144
PID 2504 wrote to memory of 2212	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	144
PID 2504 wrote to memory of 2212	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	144
PID 2504 wrote to memory of 1896	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	146
PID 2504 wrote to memory of 1896	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	146
PID 2504 wrote to memory of 1896	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	146
PID 2504 wrote to memory of 1936	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	148
PID 2504 wrote to memory of 1936	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	148
PID 2504 wrote to memory of 1936	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	148
PID 2504 wrote to memory of 1080	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	149
PID 2504 wrote to memory of 1080	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	149
PID 2504 wrote to memory of 1080	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	149
PID 2504 wrote to memory of 1804	2504	11a186984a7cc6c1fd4317dffed3a78e.exe	150

System policy modification 1 TTPs 18 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe
"C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe"
1⤵
- DcRat
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe
  "C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r5o12t4NRP.bat"
    3⤵
    PID:2848
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe
      "C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUzUS1TuH8.bat"
        5⤵
        
        PID:1732
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1888
      - C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\711d2cdd-440d-4f8e-b222-20d7c76af5ab.vbs"
        7⤵
        
        PID:2512
        
        C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fd9e12e-d03f-49d1-a2c6-c0c395081a2d.vbs"
        9⤵
        
        PID:2004
        
        C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a022cc8e-dd0e-4b64-86e6-67518258be4e.vbs"
        11⤵
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\668dca3e-3b52-4318-b149-10f08cf24a7b.vbs"
        11⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65136bc0-5941-445a-8d29-b81ff07e47cb.vbs"
        9⤵
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39cccb1a-ab45-48c5-95a8-b50787803231.vbs"
        7⤵
        
        PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11a186984a7cc6c1fd4317dffed3a78e1" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\11a186984a7cc6c1fd4317dffed3a78e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11a186984a7cc6c1fd4317dffed3a78e" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\11a186984a7cc6c1fd4317dffed3a78e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11a186984a7cc6c1fd4317dffed3a78e1" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\11a186984a7cc6c1fd4317dffed3a78e.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\OSPPSVC.exe'" /f
1⤵
- DcRat
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\lsm.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f
1⤵
- DcRat
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /f
1⤵
- DcRat
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /f
1⤵
- DcRat
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792

Filesize
732B

MD5
27f8e604a39302b499f3fd3cbed6628d

SHA1
e346cf791d727dc5a11970cae0316ba95a6f6639

SHA256
63c67d267cb349d4ea8bc808016e3955c86bc2241631a399c5ff3826ebae290c

SHA512
2f85b9f1fa11369674d6a3264328ef1d605b0d5da98bae02d63f5001fbd3c9d9168b81448483a708d60ee562ecb0810473f181ea70433c0a90e4e09a6a70c0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\39cccb1a-ab45-48c5-95a8-b50787803231.vbs

Filesize
496B

MD5
7863a9f09c9a1eaea94903e630035763

SHA1
9a71a52183fd26ad1da559f8decf48e3ba3b437d

SHA256
7968a7fd7327ea39804710676f4d5e33100ba7679d0fba8bde8e68a63fa1fb10

SHA512
044eccfadd3f3faed18723cbf607beb42672ff3b14c0a4db56b167100007bd73dd425be6f99f1f35b3d1679963d8c91031a761d7e7eef5fc14355fa7dce4bedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fd9e12e-d03f-49d1-a2c6-c0c395081a2d.vbs

Filesize
720B

MD5
bd7b8c0bd41081e8a9f0c0cdc9b2b5e5

SHA1
52f240a96d6d4fd47d6ac80c507af63e8358a99e

SHA256
e8f655648d4c17cbaa10e037b97c20d553479f8d93fe87369919f21719814559

SHA512
4bcf23dc9fa625910a062063b2ffaa10a365cac7e9c6854aa226e0f1425c166fce4b0ce5340813395ba430e1336b0415e1912a420a4d60994c2d9de8a8538339

Download Submit
C:\Users\Admin\AppData\Local\Temp\711d2cdd-440d-4f8e-b222-20d7c76af5ab.vbs

Filesize
720B

MD5
9d96580e3ffc97be92d90ccf757a55c2

SHA1
5a51fa7d18a6763c90a42f58c5e4fe05e01ba6af

SHA256
e81c6d21a273efdc0b8d216151017fad950443ba330d4ca9076e71b3b7f3a7fe

SHA512
2476de963d97d41504756caf63a1c58269c0b03a94a65e7c0754eb18905389ad33749ebc1a61cd4218c5b601deb71500a7aa0c6133c03e926a8947ef9f35bd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\a022cc8e-dd0e-4b64-86e6-67518258be4e.vbs

Filesize
719B

MD5
dbc17655f596934aee64e4410862b418

SHA1
65e71c2ab0a37bc3ad22629bc54725f95b7ae717

SHA256
8903d3e4d519d6f3f6d1550aa203fef6b9b28ee3748ff7f3946fbe86b1a4949d

SHA512
43eeb660fe682aa1a18e7c3e5008424b3e49fb176a5674a3236ee9ac2b4aa111c954232c65c5d5cc3574bf3344220344dace6fca9571ac320ec3f9c3592d7e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUzUS1TuH8.bat

Filesize
209B

MD5
d444f4777af5d8f1683fb79741bff22d

SHA1
7fe8aa25db9bfde827bba686ef4d4a8ccec343ef

SHA256
6a87afc053be0a3018a14e32408c04ea3cc4ee609c7d5540a89df80fba4e1605

SHA512
615ce08717cd5db588521fde4a6b8773e740757f9e88214e8fafbbf115c8b7bfc8f6068af9ace0af0b3fe491689761f2b5d8971ae32e045374858519fc1ffed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5o12t4NRP.bat

Filesize
235B

MD5
7504174f2678e639f5e5981f7ee2d73f

SHA1
8a13b32cd86a4378b5690edf0e5e66f066f7baab

SHA256
790ae4d0a7035f1c0ffe84c93b6d10e14f6759644b360c1285dc207e68a4d8d6

SHA512
8edf7cace4f54d47a944a7235f5a4381a88a04ee9e5a3e8d9a8e84f79901b02be8e72e79fbb9f39e3afef9d05770ffe99d8c9c96f601ed4a9e3cbe5b845d115b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60284914d5d48da7074e18c0f6095d84

SHA1
8415e4e6703bf9d3b17d9019897542afd997fed6

SHA256
17cf4122718962a0f8782eaae1ccb8281212ef6e50e872a3ffb7dacb2822a7ed

SHA512
a402085a32bcc278fb568a6f6f8d528b4f26736b25b7d9da8089ae0920f654a9b6b6c40433e013e0977aa94647af5ffcf2cbd928e684cb634f5da7574e48f757

Download Submit
C:\Users\Default\Desktop\smss.exe

Filesize
5.9MB

MD5
8171eed966c8a107a32ae09a0b716d2b

SHA1
5adcfe543c8e1545096c4a58dfaae1c9bac4743f

SHA256
fcad9a39a239259c1ce7d712f82db3dcd904d22a38f843f0be9a888690c6e5e7

SHA512
0d035aacd441a11e124d8d21824516539937fd9d5ca005ce7b06783d95444f32ce93701d45310c136fbd2a4450ad04cd4962f893c6016b6abce94c8432f65899

Download Submit
C:\Windows\Vss\Writers\audiodg.exe

Filesize
5.9MB

MD5
11a186984a7cc6c1fd4317dffed3a78e

SHA1
d31fb2b589d256066864e0440a89016b1faf1ef6

SHA256
4d29cffe0e740e46838c1497e7988b857b5b124b64d9788fffcd8ae35b36d23b

SHA512
b624b6326300e95dc2fb6867ac8cc3614fddcadfabb5dcc7949546bd4454b1df1be15b468c5e8e208d74e3b7ad69e4f7a820e942f1683fc012535d8edc23a1fc

Download Submit
C:\Windows\Vss\Writers\audiodg.exe

Filesize
5.9MB

MD5
29760b443ba9d657b6e66616d40c0673

SHA1
88445d70c3c83fdf19548b4633612076cfef4e03

SHA256
648ae503b9aecfbb97ab74b89547088747da82c880e70e6d98d05add72d7c8a9

SHA512
f55da32faa164c016029886a58846fe7ea175277963d5665320a8ff591809a13ff45d6e98bf3c411cb612082079094924626d2d3381ae5e03d81a796acc3fec9

Download Submit
memory/308-483-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/308-482-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/1272-362-0x0000000001190000-0x0000000001A88000-memory.dmp

Filesize
9.0MB

Download
memory/2212-309-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2212-305-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2604-469-0x0000000000BF0000-0x0000000000C46000-memory.dmp

Filesize
344KB

Download
memory/2604-468-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2732-176-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2732-177-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2848-15-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2848-18-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/2848-23-0x000000001B1B0000-0x000000001B1C2000-memory.dmp

Filesize
72KB

Download
memory/2848-24-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

Filesize
48KB

Download
memory/2848-27-0x000000001B2A0000-0x000000001B2AC000-memory.dmp

Filesize
48KB

Download
memory/2848-26-0x000000001B210000-0x000000001B218000-memory.dmp

Filesize
32KB

Download
memory/2848-28-0x000000001B2B0000-0x000000001B2BC000-memory.dmp

Filesize
48KB

Download
memory/2848-30-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

Filesize
48KB

Download
memory/2848-29-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/2848-34-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

Filesize
56KB

Download
memory/2848-33-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

Filesize
32KB

Download
memory/2848-35-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/2848-39-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/2848-38-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/2848-37-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

Filesize
32KB

Download
memory/2848-36-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/2848-32-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/2848-31-0x000000001B990000-0x000000001B99A000-memory.dmp

Filesize
40KB

Download
memory/2848-25-0x000000001B200000-0x000000001B20C000-memory.dmp

Filesize
48KB

Download
memory/2848-20-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/2848-19-0x0000000002A80000-0x0000000002A88000-memory.dmp

Filesize
32KB

Download
memory/2848-21-0x000000001B050000-0x000000001B058000-memory.dmp

Filesize
32KB

Download
memory/2848-166-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2848-17-0x000000001B160000-0x000000001B1B6000-memory.dmp

Filesize
344KB

Download
memory/2848-16-0x0000000002A60000-0x0000000002A6A000-memory.dmp

Filesize
40KB

Download
memory/2848-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2848-202-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2848-13-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/2848-11-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2848-12-0x0000000002A30000-0x0000000002A42000-memory.dmp

Filesize
72KB

Download
memory/2848-10-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2848-9-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2848-1-0x0000000000CB0000-0x00000000015A8000-memory.dmp

Filesize
9.0MB

Download
memory/2848-8-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2848-7-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2848-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2848-5-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2848-4-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2848-3-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-2-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2984-455-0x0000000001300000-0x0000000001BF8000-memory.dmp

Filesize
9.0MB

Download