dcrat | 8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Size

4.9MB
MD5

7c5669c1eb8e15de18ad5888920de3f7
SHA1

62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb
SHA256

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811
SHA512

791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8Z:R

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2968	schtasks.exe
File created	C:\Windows\addins\81dc0bd0bf0ef5		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		2976	schtasks.exe
		2252	schtasks.exe
		2352	schtasks.exe
		2972	schtasks.exe
		1936	schtasks.exe
		2888	schtasks.exe
		1724	schtasks.exe
		1360	schtasks.exe
		2348	schtasks.exe
		1828	schtasks.exe
		860	schtasks.exe
		2812	schtasks.exe
		2516	schtasks.exe
		2324	schtasks.exe
		280	schtasks.exe
		1268	schtasks.exe
		1492	schtasks.exe
		2724	schtasks.exe
		2088	schtasks.exe
		836	schtasks.exe
		2188	schtasks.exe
		892	schtasks.exe
		2364	schtasks.exe
		980	schtasks.exe
		1932	schtasks.exe
		2268	schtasks.exe
		832	schtasks.exe
		2076	schtasks.exe
		1460	schtasks.exe
		2964	schtasks.exe
		2764	schtasks.exe
		1736	schtasks.exe
		1768	schtasks.exe
		2824	schtasks.exe
		832	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\75a57c1bdf437c		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		2384	schtasks.exe
		2776	schtasks.exe
		2052	schtasks.exe
		1768	schtasks.exe
		112	schtasks.exe
File created	C:\Program Files\Windows Sidebar\de-DE\7a0fd90576e088		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		352	schtasks.exe
		1980	schtasks.exe
		1436	schtasks.exe
		2660	schtasks.exe
		2108	schtasks.exe
		1424	schtasks.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\1610b97d3ab4a7		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		1940	schtasks.exe
		548	schtasks.exe
		2204	schtasks.exe
		2072	schtasks.exe
		1644	schtasks.exe
		1552	schtasks.exe
		1932	schtasks.exe
		2324	schtasks.exe
		1740	schtasks.exe
		2780	schtasks.exe
		2928	schtasks.exe
		2056	schtasks.exe
		2012	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2704	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2704	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2080-3-0x000000001B460000-0x000000001B58E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2604	powershell.exe
2064	powershell.exe
2564	powershell.exe
2744	powershell.exe
2352	powershell.exe
2812	powershell.exe
2824	powershell.exe
2552	powershell.exe
2944	powershell.exe
2028	powershell.exe
2496	powershell.exe
1428	powershell.exe
448	powershell.exe
2660	powershell.exe
1608	powershell.exe
2624	powershell.exe
2916	powershell.exe
1700	powershell.exe
1576	powershell.exe
2960	powershell.exe
2008	powershell.exe
2948	powershell.exe
112	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3032	dllhost.exe
2052	dllhost.exe
3064	dllhost.exe
2924	dllhost.exe
2872	dllhost.exe
2632	dllhost.exe
1644	dllhost.exe
1916	dllhost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\it-IT\5940a34987c991	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Google\RCXED7A.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\101b941d020240	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXD26D.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Sidebar\de-DE\7a0fd90576e088	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Google\audiodg.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXD675.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\explorer.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\lsm.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\OSPPSVC.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Sidebar\de-DE\explorer.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Google\42af1c969fbb7b	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Mail\it-IT\dllhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\75a57c1bdf437c	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\27d1bcfc3c54e0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\lsm.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\OSPPSVC.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\1610b97d3ab4a7	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Google\audiodg.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WMIADAP.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RCXD471.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\dllhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WMIADAP.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\addins\81dc0bd0bf0ef5	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\addins\RCXE972.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\addins\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\addins\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
860	schtasks.exe
2928	schtasks.exe
352	schtasks.exe
1424	schtasks.exe
2660	schtasks.exe
1724	schtasks.exe
832	schtasks.exe
1460	schtasks.exe
1940	schtasks.exe
548	schtasks.exe
2076	schtasks.exe
892	schtasks.exe
1828	schtasks.exe
2968	schtasks.exe
1860	schtasks.exe
2052	schtasks.exe
2072	schtasks.exe
1768	schtasks.exe
2492	schtasks.exe
2812	schtasks.exe
2300	schtasks.exe
2780	schtasks.exe
1768	schtasks.exe
352	schtasks.exe
2964	schtasks.exe
2992	schtasks.exe
1268	schtasks.exe
2328	schtasks.exe
2324	schtasks.exe
2924	schtasks.exe
2204	schtasks.exe
112	schtasks.exe
2056	schtasks.exe
2516	schtasks.exe
1360	schtasks.exe
1544	schtasks.exe
2384	schtasks.exe
2108	schtasks.exe
2708	schtasks.exe
1932	schtasks.exe
2252	schtasks.exe
1980	schtasks.exe
2972	schtasks.exe
1740	schtasks.exe
1736	schtasks.exe
1036	schtasks.exe
2776	schtasks.exe
3048	schtasks.exe
2364	schtasks.exe
1936	schtasks.exe
692	schtasks.exe
1492	schtasks.exe
2764	schtasks.exe
2268	schtasks.exe
1840	schtasks.exe
1932	schtasks.exe
3024	schtasks.exe
280	schtasks.exe
836	schtasks.exe
3068	schtasks.exe
2976	schtasks.exe
2576	schtasks.exe
832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2824	powershell.exe
2604	powershell.exe
2960	powershell.exe
2660	powershell.exe
1608	powershell.exe
2352	powershell.exe
2744	powershell.exe
2948	powershell.exe
2812	powershell.exe
2684	powershell.exe
2624	powershell.exe
2008	powershell.exe
1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2496	powershell.exe
2028	powershell.exe
2944	powershell.exe
2564	powershell.exe
1576	powershell.exe
2064	powershell.exe
112	powershell.exe
2552	powershell.exe
1428	powershell.exe
2916	powershell.exe
1700	powershell.exe
448	powershell.exe
3032	dllhost.exe
2052	dllhost.exe
3064	dllhost.exe
2924	dllhost.exe
2872	dllhost.exe
2632	dllhost.exe
1644	dllhost.exe
1916	dllhost.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3032	dllhost.exe
Token: SeDebugPrivilege	2052	dllhost.exe
Token: SeDebugPrivilege	3064	dllhost.exe
Token: SeDebugPrivilege	2924	dllhost.exe
Token: SeDebugPrivilege	2872	dllhost.exe
Token: SeDebugPrivilege	2632	dllhost.exe
Token: SeDebugPrivilege	1644	dllhost.exe
Token: SeDebugPrivilege	1916	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2624	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2080 wrote to memory of 2624	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2080 wrote to memory of 2624	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	74
PID 2080 wrote to memory of 2604	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2080 wrote to memory of 2604	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2080 wrote to memory of 2604	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	75
PID 2080 wrote to memory of 2684	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	76
PID 2080 wrote to memory of 2684	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	76
PID 2080 wrote to memory of 2684	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	76
PID 2080 wrote to memory of 2824	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	77
PID 2080 wrote to memory of 2824	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	77
PID 2080 wrote to memory of 2824	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	77
PID 2080 wrote to memory of 2812	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	78
PID 2080 wrote to memory of 2812	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	78
PID 2080 wrote to memory of 2812	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	78
PID 2080 wrote to memory of 2352	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	79
PID 2080 wrote to memory of 2352	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	79
PID 2080 wrote to memory of 2352	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	79
PID 2080 wrote to memory of 2744	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	82
PID 2080 wrote to memory of 2744	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	82
PID 2080 wrote to memory of 2744	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	82
PID 2080 wrote to memory of 1608	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2080 wrote to memory of 1608	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2080 wrote to memory of 1608	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	83
PID 2080 wrote to memory of 2948	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	84
PID 2080 wrote to memory of 2948	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	84
PID 2080 wrote to memory of 2948	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	84
PID 2080 wrote to memory of 2660	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	85
PID 2080 wrote to memory of 2660	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	85
PID 2080 wrote to memory of 2660	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	85
PID 2080 wrote to memory of 2008	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	86
PID 2080 wrote to memory of 2008	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	86
PID 2080 wrote to memory of 2008	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	86
PID 2080 wrote to memory of 2960	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	87
PID 2080 wrote to memory of 2960	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	87
PID 2080 wrote to memory of 2960	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	87
PID 2080 wrote to memory of 2300	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	96
PID 2080 wrote to memory of 2300	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	96
PID 2080 wrote to memory of 2300	2080	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	96
PID 2300 wrote to memory of 300	2300	cmd.exe	100
PID 2300 wrote to memory of 300	2300	cmd.exe	100
PID 2300 wrote to memory of 300	2300	cmd.exe	100
PID 2300 wrote to memory of 1204	2300	cmd.exe	101
PID 2300 wrote to memory of 1204	2300	cmd.exe	101
PID 2300 wrote to memory of 1204	2300	cmd.exe	101
PID 1204 wrote to memory of 2028	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	142
PID 1204 wrote to memory of 2028	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	142
PID 1204 wrote to memory of 2028	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	142
PID 1204 wrote to memory of 2496	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	143
PID 1204 wrote to memory of 2496	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	143
PID 1204 wrote to memory of 2496	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	143
PID 1204 wrote to memory of 2064	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	144
PID 1204 wrote to memory of 2064	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	144
PID 1204 wrote to memory of 2064	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	144
PID 1204 wrote to memory of 2916	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	146
PID 1204 wrote to memory of 2916	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	146
PID 1204 wrote to memory of 2916	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	146
PID 1204 wrote to memory of 1428	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	147
PID 1204 wrote to memory of 1428	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	147
PID 1204 wrote to memory of 1428	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	147
PID 1204 wrote to memory of 112	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	148
PID 1204 wrote to memory of 112	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	148
PID 1204 wrote to memory of 112	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	148
PID 1204 wrote to memory of 448	1204	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	149

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
"C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9GVbOqLuiu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
    "C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Program Files\Windows Mail\it-IT\dllhost.exe
      "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c1e355-7734-462e-ab8d-62272d19a7e3.vbs"
        5⤵
        
        PID:2864
      - C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bad1e06-7b23-4c77-9425-41503ef14914.vbs"
        7⤵
        
        PID:2112
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ca65d3-966e-430c-9c73-f6199ed467d8.vbs"
        9⤵
        
        PID:2012
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e0b3598-f018-4547-9d2f-2bf528d6d550.vbs"
        11⤵
        
        PID:1680
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968447e3-b95c-472a-99b7-a519ef38db7d.vbs"
        13⤵
        
        PID:1400
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9544a687-347d-4c45-874f-d15be9c40f63.vbs"
        15⤵
        
        PID:2672
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65562c2a-679f-4744-86be-30ca7e523fe6.vbs"
        17⤵
        
        PID:2076
        
        C:\Program Files\Windows Mail\it-IT\dllhost.exe
        
        "C:\Program Files\Windows Mail\it-IT\dllhost.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40cdf9a8-b9b5-4e32-a6aa-63455576550d.vbs"
        19⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed2a3748-5695-48a2-a9cb-619af3924f1a.vbs"
        19⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1632ae66-a9c9-42d1-b3da-9eda7d562c03.vbs"
        17⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c7748b-6c38-4373-ab35-4bd37c8dc4d8.vbs"
        15⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\146a9c8a-8974-4902-af6f-e8341a9dea55.vbs"
        13⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d21b00f-b1ba-436a-b9e1-3b16ae74770d.vbs"
        11⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cf57b09-d608-44fb-a470-66666a6d91cc.vbs"
        9⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e84e73f7-5bd5-43f8-af8a-7fc9993706d3.vbs"
        7⤵
        
        PID:2456
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89fbab4a-7086-4134-8a42-25e66fa223eb.vbs"
        5⤵
        
        PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa8118" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811" /sc ONLOGON /tr "'C:\Windows\addins\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa8118" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\audiodg.exe

Filesize
4.9MB

MD5
3780be6e2e0cf159c9f4bf4f0ce4a5cb

SHA1
0957fc28ef64787dcec2b1b2bb7d4b6c8b7ab408

SHA256
c46518803f2a79ee7506bc20288c657b459e7869955def71ca6345c2eabfc61f

SHA512
abf6abd287fe813472965554cdd50d44251c1fb2497f2d59aca4281b50677c256deacdad508fb9826bd15d0fb04b125eabca1f1d1a70dcf786aef151d4de8a73

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe

Filesize
4.9MB

MD5
7c5669c1eb8e15de18ad5888920de3f7

SHA1
62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb

SHA256
8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

SHA512
791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\RCXE2FA.tmp

Filesize
4.9MB

MD5
45823840aecad1d79963c5277d4dc297

SHA1
54298b52d023dcb942f22a0bfc978724815a4670

SHA256
69b0d495ec6cb7eb70bd556d106094e12e49091ccacfaca45e2b8e2c8168d73e

SHA512
af99eface000c35a9b2ab71795d4e57b3bf245d20bd66e619b7696e154f5d3629956ffb162b1e5120542c55fd8315f743aaf66185d8734e23b8e6117a376a0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bad1e06-7b23-4c77-9425-41503ef14914.vbs

Filesize
723B

MD5
e8cf92a220b984a1f5d1929b04b0d4b7

SHA1
bef3b93687c803e82c714eac2608cc4509eba071

SHA256
63db008139a4b2ef9c7ac67228e5997d7f58cbe08133d0ebb9a455f3695ab159

SHA512
e5d1ef925e948c72a5a4fb35f30301dda5eb4b3b6f01e746079e534750e302ee2956d56741ee1b6985ba5b4aee8b7721694c9870fc17426645f31735970ba183

Download Submit
C:\Users\Admin\AppData\Local\Temp\40cdf9a8-b9b5-4e32-a6aa-63455576550d.vbs

Filesize
723B

MD5
7a20efdfdda8964f76ca559ed3fd001d

SHA1
ea0286f0fac29a6f0bc073044695874524c9f983

SHA256
6d28d75f8cf9842a9e46e966e310cc6c1b6357f0bea00b91cc8695d49af583df

SHA512
4094360443789c5c9adfdeba2215a1fa1b940cdbddaf68ce48247a2f866810d769ca0dd6f696f3c779224d3af048bbf4fc15af32d1dbed0219351885ac61ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\52c1e355-7734-462e-ab8d-62272d19a7e3.vbs

Filesize
723B

MD5
0405ce8f161bbc19e4bc815402204c5f

SHA1
011b94eb263f0e73def48b0044897f79fc0b0c0a

SHA256
a31a8b0566fa83fc6455fca08c1bfbfb3ad182ccbd60c50f12a5a213b987838f

SHA512
d73a6d62c3aeabf93d6c0868a5a0b2a12431ec314735ea84fec5261a910565b8ce952d23c273298c84548a8fe4f0baaedf4994e76d50d9033c063d990143881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e0b3598-f018-4547-9d2f-2bf528d6d550.vbs

Filesize
723B

MD5
e4da850597f77c7ad3ff36a84c70766a

SHA1
b349a8e4c3ea4fe9935ca3523269a687f921edf4

SHA256
4a416ef354148ae1cda158719f2397294107b2b57c345a6fa136b134d73ccaa0

SHA512
db2cab5e1df506f53f92de15a14bbac891580eca47d8652cf1efe946c68b36d45cb63c93e61f0012c9812ab24fec0149c029cdc59eef3338e744048cdae2d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\65562c2a-679f-4744-86be-30ca7e523fe6.vbs

Filesize
723B

MD5
785c8d8d1b9bfefedaf5131e110143ed

SHA1
bff1453dfd61a62f6294b4a29f09194fb0e2155b

SHA256
7e726cacaf3bd725ff89396547054a0008ca824fdded00b037ba094bd94e946a

SHA512
cec4ae9db9e48c52cad7bd7814f5db121bb345481d2bfec8a60d9779b1b145e63324dc6b7402a2732484029709521ef1456fc2f1b079d8e00e762f852af604b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\89fbab4a-7086-4134-8a42-25e66fa223eb.vbs

Filesize
499B

MD5
744a5784bebe58b0159df4b47734a080

SHA1
b30236fb4c2aca14872374159cfc4e4aa0b48ad3

SHA256
1207f21472a4db479e54ee4ae294fbb2226f3206e7e4939013b24283ed37fdf6

SHA512
a6b28ec4f2af354c873d2da4eb4050146871c270d45dc99a8210442a61f0515ed606c597bc6d87f97449d02357d184ece53a37756350c99c5e4b363488a0c509

Download Submit
C:\Users\Admin\AppData\Local\Temp\9544a687-347d-4c45-874f-d15be9c40f63.vbs

Filesize
723B

MD5
8ef6869af2b304ba7a7db5c75267b680

SHA1
fd65c42d107720b80dd41992c9318510bec128ea

SHA256
2ab536c2722dea805e149d2c77899afaeaf1f55ece6061493335e5ee219c4dcb

SHA512
2c026c92b1daae6253b7501f85920f2311b2dde3ea983bf73358ac5e606324d67c4568e90e0258379b5fd1168a3982b6b0c5511186dbbbbe1b5bafd13ebbb40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\968447e3-b95c-472a-99b7-a519ef38db7d.vbs

Filesize
723B

MD5
fb48905ae1ebaeae27482dcf35a371da

SHA1
092d4d9f2cb54afa541d74f90d3580c5852a8788

SHA256
f5832ec2332e35538a57de9a006f3e8600ef2fd0ca6ac088f2a112702b22e0bb

SHA512
83006085ef78f2ecb68aad259e25c90378793b6e372a52f45304f548e11c618306623a867fbaf015417872bbb439610dbd55d30b4c932eed9a8c285374cef861

Download Submit
C:\Users\Admin\AppData\Local\Temp\9GVbOqLuiu.bat

Filesize
267B

MD5
9db8d447dba93075812eca860bc5d858

SHA1
f59c292ff5647e24dcd4007d63a052ce2fa6e636

SHA256
b016610d640f887473adc7fe95bf36d9328a1bd57efc28762b2fc61d45ebfc73

SHA512
f1c291cb0d0f4c2b0a75d289d8fec1a0b0f35772812c4716c0697b6166bfb33e76e0ca94fc2f98033ebf18d1a04fa42b55c1a7361af1aa9a6a6b295e3b0eea1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9ca65d3-966e-430c-9c73-f6199ed467d8.vbs

Filesize
723B

MD5
bf5688f28dac12bcac869e2c37844f05

SHA1
94cca4db2125127ce3b15ab6c00f93e429f456b7

SHA256
8083c940188217a72172c8a0a1b695f01bbb07fa90b3485dfe4f3eeb61fbec19

SHA512
9600ed3816eb9c60a807c33714beb5966978e3efa473b7b504d4d4fdec60321fd15c9a1334ebfb8ee7b086bdd714813f88c4dceb3cca012b4ddd72b2c9f6f561

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1738.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eda48513b3b2ad849e223eedd592ea3f

SHA1
f2f892f7fbc3da2f7c0ec4a1f121bef78925b83b

SHA256
ee505c2c8370ee04656997732d302e02c8245582c98d6bbc783c8b39d17d9ea7

SHA512
b068d9352d61265aa0a463ef74200fd0be698d9eea7156f795d44bfa38daa889f969365c734e4fc851967ec53f0d8646639bd9f0cb6033356fc304656a8a77d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IXRTRZ7X5RCMAOXMSMW6.temp

Filesize
7KB

MD5
09b02d34c013ac5d8eaa104ef915fe9f

SHA1
46502773c5526a3405bc40ab699f4168ed541cf5

SHA256
b66227990e3cfb6bde475d978902f966f55c017a7c022cebb9c8cb2a819eedf2

SHA512
f7c2f62b9d0a8d0a02a7d0be2fe24112de07f658b58bea506bd495e1958720e9b9b200df5d33b15e5a3a887265102829200c5126d8a86c818b371d5f7fd81bc4

Download Submit
memory/1204-215-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1644-420-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/1644-421-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/2052-345-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/2052-346-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2080-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2080-7-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/2080-1-0x0000000000AF0000-0x0000000000FE4000-memory.dmp

Filesize
5.0MB

Download
memory/2080-163-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-139-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2080-15-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2080-16-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/2080-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-14-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2080-3-0x000000001B460000-0x000000001B58E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2080-13-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/2080-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2080-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2080-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2080-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2080-5-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2080-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2080-6-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2496-283-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2496-282-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2632-406-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/2824-161-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2824-160-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2872-391-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/2924-376-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/3032-331-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/3064-361-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download