Analysis
-
max time kernel
117s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 16:34
Static task
static1
Behavioral task
behavioral1
Sample
3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
Resource
win7-20240903-en
General
-
Target
3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe
-
Size
4.9MB
-
MD5
2c3bf56a91d29eceee2078a85b738cc0
-
SHA1
78ea0f96e4f560bb3cdb9cdcd157adb773c3d7fa
-
SHA256
3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bd
-
SHA512
9507ce6faec5c17d1078db95220e8dce8a5d055fc5cb574c09a8a54d8b08b6475db1641a9f8fb13170c2a02ca2b10f6d31b4f902603efff7eeb6df962d0efb21
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2660 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2660 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
resource yara_rule behavioral1/memory/2748-3-0x000000001BA60000-0x000000001BB8E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2196 powershell.exe 572 powershell.exe 1268 powershell.exe 2780 powershell.exe 2612 powershell.exe 2728 powershell.exe 1796 powershell.exe 2816 powershell.exe 1172 powershell.exe 2896 powershell.exe 2796 powershell.exe 2336 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2028 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1012 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2424 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1612 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX73AE.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files\Windows Mail\it-IT\RCX8245.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX892B.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Uninstall Information\wininit.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Uninstall Information\56085415360792 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files\Windows Mail\it-IT\sppsvc.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files\Windows Mail\it-IT\0a1fd5f707cd16 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\RCX71A9.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8727.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\8bf88e8e982d8f 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files\Windows Mail\it-IT\sppsvc.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\8bf88e8e982d8f 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Program Files (x86)\Uninstall Information\wininit.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File created C:\Windows\inf\ASP.NET\0019\8bf88e8e982d8f 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Windows\inf\ASP.NET\0019\RCX77B5.tmp 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe File opened for modification C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1404 schtasks.exe 2456 schtasks.exe 2448 schtasks.exe 1260 schtasks.exe 3000 schtasks.exe 840 schtasks.exe 2084 schtasks.exe 1940 schtasks.exe 1436 schtasks.exe 1096 schtasks.exe 2372 schtasks.exe 264 schtasks.exe 2152 schtasks.exe 2824 schtasks.exe 2588 schtasks.exe 2468 schtasks.exe 2960 schtasks.exe 2472 schtasks.exe 592 schtasks.exe 1656 schtasks.exe 2992 schtasks.exe 1632 schtasks.exe 2520 schtasks.exe 1772 schtasks.exe 1200 schtasks.exe 2880 schtasks.exe 1600 schtasks.exe 3028 schtasks.exe 2120 schtasks.exe 2212 schtasks.exe 880 schtasks.exe 3056 schtasks.exe 996 schtasks.exe 2060 schtasks.exe 2716 schtasks.exe 1508 schtasks.exe 2932 schtasks.exe 2232 schtasks.exe 2028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2728 powershell.exe 2612 powershell.exe 572 powershell.exe 1172 powershell.exe 2336 powershell.exe 2796 powershell.exe 2896 powershell.exe 1268 powershell.exe 1796 powershell.exe 2196 powershell.exe 2816 powershell.exe 2780 powershell.exe 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2028 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1012 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2424 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 2880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 1612 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 2028 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 1012 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 2424 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 2880 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Token: SeDebugPrivilege 1612 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2896 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 70 PID 2748 wrote to memory of 2896 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 70 PID 2748 wrote to memory of 2896 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 70 PID 2748 wrote to memory of 2796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 71 PID 2748 wrote to memory of 2796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 71 PID 2748 wrote to memory of 2796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 71 PID 2748 wrote to memory of 2816 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 72 PID 2748 wrote to memory of 2816 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 72 PID 2748 wrote to memory of 2816 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 72 PID 2748 wrote to memory of 2196 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 74 PID 2748 wrote to memory of 2196 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 74 PID 2748 wrote to memory of 2196 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 74 PID 2748 wrote to memory of 2780 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 75 PID 2748 wrote to memory of 2780 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 75 PID 2748 wrote to memory of 2780 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 75 PID 2748 wrote to memory of 2728 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 77 PID 2748 wrote to memory of 2728 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 77 PID 2748 wrote to memory of 2728 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 77 PID 2748 wrote to memory of 2612 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 79 PID 2748 wrote to memory of 2612 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 79 PID 2748 wrote to memory of 2612 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 79 PID 2748 wrote to memory of 2336 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 81 PID 2748 wrote to memory of 2336 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 81 PID 2748 wrote to memory of 2336 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 81 PID 2748 wrote to memory of 1796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 82 PID 2748 wrote to memory of 1796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 82 PID 2748 wrote to memory of 1796 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 82 PID 2748 wrote to memory of 572 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 83 PID 2748 wrote to memory of 572 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 83 PID 2748 wrote to memory of 572 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 83 PID 2748 wrote to memory of 1172 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 84 PID 2748 wrote to memory of 1172 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 84 PID 2748 wrote to memory of 1172 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 84 PID 2748 wrote to memory of 1268 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 85 PID 2748 wrote to memory of 1268 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 85 PID 2748 wrote to memory of 1268 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 85 PID 2748 wrote to memory of 2108 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 94 PID 2748 wrote to memory of 2108 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 94 PID 2748 wrote to memory of 2108 2748 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 94 PID 2108 wrote to memory of 2204 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 95 PID 2108 wrote to memory of 2204 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 95 PID 2108 wrote to memory of 2204 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 95 PID 2108 wrote to memory of 1748 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 96 PID 2108 wrote to memory of 1748 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 96 PID 2108 wrote to memory of 1748 2108 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 96 PID 2204 wrote to memory of 1728 2204 WScript.exe 97 PID 2204 wrote to memory of 1728 2204 WScript.exe 97 PID 2204 wrote to memory of 1728 2204 WScript.exe 97 PID 1728 wrote to memory of 3040 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 98 PID 1728 wrote to memory of 3040 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 98 PID 1728 wrote to memory of 3040 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 98 PID 1728 wrote to memory of 1332 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 99 PID 1728 wrote to memory of 1332 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 99 PID 1728 wrote to memory of 1332 1728 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 99 PID 3040 wrote to memory of 2716 3040 WScript.exe 101 PID 3040 wrote to memory of 2716 3040 WScript.exe 101 PID 3040 wrote to memory of 2716 3040 WScript.exe 101 PID 2716 wrote to memory of 1536 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 102 PID 2716 wrote to memory of 1536 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 102 PID 2716 wrote to memory of 1536 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 102 PID 2716 wrote to memory of 3028 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 103 PID 2716 wrote to memory of 3028 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 103 PID 2716 wrote to memory of 3028 2716 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe 103 PID 1536 wrote to memory of 880 1536 WScript.exe 104 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Users\Admin\AppData\Local\Temp\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc19a54-e170-41cd-af18-e58f37c2493a.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e9a89a-c134-4a4d-9d50-33a620f02fe8.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e51ff174-b140-4812-8d46-25a277863e62.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ce0f681-5e4e-48ee-b501-355546bd5a7d.vbs"9⤵PID:2908
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adf12a93-cdc9-4de9-b2f8-020fd3ea7efb.vbs"11⤵PID:1100
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b591c2b-f427-4198-9b8c-323b3c8b24c2.vbs"13⤵PID:820
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed01fe3-2324-4b3f-b2e9-f9433806a017.vbs"15⤵PID:1060
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76274a68-650a-4a83-b835-9118ad825831.vbs"17⤵PID:2796
-
C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24eedc64-03f8-4d69-96ee-e0276b4f9069.vbs"19⤵PID:2784
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88ed8d0-5d93-4cb9-a98f-13d1e58e853b.vbs"19⤵PID:1048
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc6554c7-ea19-4088-bd6b-c0ed0d9e535e.vbs"17⤵PID:1740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07fada1-aabf-44c6-9962-e7c96664cb7d.vbs"15⤵PID:1652
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b261055-c5dc-4c1a-a560-1a1afe362bc2.vbs"13⤵PID:2204
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ec4721-34c4-41b1-9d32-39b51323ec9e.vbs"11⤵PID:2432
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7c7293-f091-4ab9-881f-8a465333b1e1.vbs"9⤵PID:920
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c770147-7970-4293-8f21-ebfc03c946d4.vbs"7⤵PID:3028
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60fc3f86-5976-43cb-b3b2-83c86a05669b.vbs"5⤵PID:1332
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a64eac9e-74f7-4435-962a-270dc846052e.vbs"3⤵PID:1748
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\ASP.NET\0019\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\Roaming\Media Center Programs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN3" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\3fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bdN.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803B
MD53744cd0ad326b72f10f5df9db84a917d
SHA1f7197ad6842d73fe2b948035f3f9c9f163bb65d3
SHA256facaeb08f5797cd35aead037c201316a879489212d87f164898f1f7f897a5444
SHA512a3ca2747175f1f94305581966dc13bbce35661077649b3e350d247d65351b21f215b2c7d98c18c981b376b2b64ef29a8fcb589c4a27859e8f2466d6e45e0eef2
-
Filesize
803B
MD52880e24eb016fdd3cdaf241ecb8e40ab
SHA1d95ea6eb8291ab8a96a78feeffe551142f2ded7b
SHA256fb44877428e891a6a64745457abd089525025af87d33d2e5d92eedccf69c3f89
SHA5124335780f40aef02551e508802b606a73af5432276081e82c76bfa9559b94de1aa354efb59a42bea942e683f8133c13a5882b7f01f27193d7b611517ab54c1652
-
Filesize
803B
MD5043cdcf88a3a8eda558bc05517617f4a
SHA1871014e325fe0f91893535a549a1e470df1644d9
SHA25625c01e2b484b83b814d380ed162339bca4add23ef6c53adcbd9d13ed594f4ce6
SHA5120fe2e56f0327613b8bf5e284c9b70fe9861b647f163fed13e8cc91510e3a7c8887ed395f9121dc018061c02398df8d0c4783e00f99da5d41e044732f26602d9b
-
Filesize
803B
MD5c1667eb8c9e7dc37176229f895a3786a
SHA14c695db2e97fff33c03f2313a48e7fbd250c899b
SHA256c638c4e5ef9a59b4b8024a58b17b18c856e78207de4e9aaf4e0b14ed728653ff
SHA51273a54b53b4f573c7bae03fe5f7dd3ef695a88e5f65208611e31ecf86ecf913177d165570b1fd1394855a7a3d33944ccec64bb95836d689f5c82a3856839efda5
-
Filesize
803B
MD56d9397d2e863d27c6b1e7028670cb861
SHA1741e43689dfaedb71ac1e3de9161384a991f7fdc
SHA2568546080628f91cd6e6bb3d4e8b2d698db8bc540ad3e8d3a2e3a447ff74972d3d
SHA5122bfec4ce272e2075507d0ee155db335a320c6e37ee8e4ebd0fcc5d8e0abf4f2a75ae605ad063e0398966099829cc46ceb6a3d9626f32aa07f26ad2786a7af560
-
Filesize
802B
MD5e9173af7293ed7bc614a6d8fc71e721a
SHA19ccb8033f122641f23dfad046fe73eea56f8cc56
SHA2566c84881c5d3ea478898148c7968cb82beac0b34b00df4e75956ad6f3db66d5d7
SHA512ec5cd6b59796dd70cd85e1cece08adf27c324dafa613ed1cf3d09f973e96c80d0625560f07432ce25ff1e8b9a011e9e2a1162d1ab528121a85e50e9985b66da1
-
Filesize
579B
MD5bf483354328bc8f10af90a6ed25f2904
SHA126630628a70ccbea66242fdfdbde692ed5382084
SHA256e4fe06b53b5a3074a7089cfff58c546269512b4e21635a38619ea9179ea58173
SHA5125f9546e6475cdf2dc1f0aff7a5404d29acdf473a5eadc4be3735b93317d01bd37ef34a0dde78df51825d1bbc7cc69c424ed1c65f39cb28873fcee12006c31dad
-
Filesize
803B
MD5cbab435c643510372b35001a5b2e25ff
SHA1c406d50c4581f88f443adff3ce8ce8c04ad1587a
SHA25623857b7edd597d1d9574db36af2d3f2337349f07907df0ae74374630f4dd1bf2
SHA5128b39cfc10d064017d9e6443c243382512175b1c42fc0f251337be5c69bb8f098dd20d0272ad76c6c2872178a3a6f61302c9ee2d313099ccd653dfc1e224bea84
-
Filesize
803B
MD5824f1c7b6bdfd67a2fe28c3ad04cc8d0
SHA106b167716e23ca8db5f72c0ea6e62ac022e16d2d
SHA25677954776061d6189131fb584466f48f27ad96e0af6cbdf1a01de11805425a5f4
SHA51237867bd7b295aa806930bd6aea6880cb6b4d2d578cc90647943dc9ae67da10f2f1b63f4c75877e5769e941d98c4cc06aa7e55017aaf367e9b39280b89e6bd317
-
Filesize
803B
MD5775bea434bc836cc2b8e62a6685b1ba2
SHA1ee0e87a7745125c919b7a66751dc3bf83b4276e6
SHA256d5682ab3fa337198a731fed8261868a396904e82b4dee8573c06d0b1c4305ca9
SHA5128508715c93a4e856658cceccd2cb6582f2bcb360827e4edc80c4657b67751204124b9c011638c447842c4b32745ad7a6a48f413482435e36188ea84d5a803fa3
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD585dd857d997e1b030040a092cdb40842
SHA15e494c1c9ee9e556c395b25bd388b329f4886852
SHA2569867e0c65452f47fd3d9d1d59d1a66cbf71ec193c9fb50a4ee2b24ea3034e059
SHA512e9c72902307088aadb942fd697cafb453edd5aeede2f247e20bb97a43c3552f594b8c795099d1265b6079fdaf86a62b19f7795bd5f1174d49f09e78c7ec4a4b6
-
Filesize
4.9MB
MD52c3bf56a91d29eceee2078a85b738cc0
SHA178ea0f96e4f560bb3cdb9cdcd157adb773c3d7fa
SHA2563fec697a041f563d5726433d0dde6b5aeb110902f6b828722f4d4121a6dee9bd
SHA5129507ce6faec5c17d1078db95220e8dce8a5d055fc5cb574c09a8a54d8b08b6475db1641a9f8fb13170c2a02ca2b10f6d31b4f902603efff7eeb6df962d0efb21