dcrat | 9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Size

4.9MB
MD5

4da9ed14404a53268904e7dd6959f52b
SHA1

c3d798fd07decc8136c52523428d02610fad42c4
SHA256

9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764
SHA512

cba29b2cce4fa6211409fea7103d12f7ab4408e9c1916c77c2de44106a52a1d34eab1c73331768e5e8d49127b8bdd54d08a8ab4889a11fc80b03db11ce7fa284
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx87:j

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	536	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1928-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1576	powershell.exe
2604	powershell.exe
2648	powershell.exe
2128	powershell.exe
1948	powershell.exe
1640	powershell.exe
2024	powershell.exe
2776	powershell.exe
2844	powershell.exe
2896	powershell.exe
1528	powershell.exe
1972	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2880	services.exe
1944	services.exe
2896	services.exe
2164	services.exe
3040	services.exe
2520	services.exe
1608	services.exe
1916	services.exe
2476	services.exe
1112	services.exe
2536	services.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\audiodg.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD739.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\0a1fd5f707cd16	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXC9DB.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\audiodg.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RCXCE50.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Portable Devices\lsm.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Google\Temp\Idle.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows NT\dllhost.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsm.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\services.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXDBAD.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\e4d1914201aad4	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows NT\RCXC0F1.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXD0C1.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Google\Temp\6ccacd8608530f	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD93C.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows NT\dllhost.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows NT\5940a34987c991	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\c5b4cb5e9653cc	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCBDF.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\Idle.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\services.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\42af1c969fbb7b	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2816	schtasks.exe
2460	schtasks.exe
1700	schtasks.exe
2364	schtasks.exe
1328	schtasks.exe
872	schtasks.exe
1136	schtasks.exe
1816	schtasks.exe
2980	schtasks.exe
2444	schtasks.exe
448	schtasks.exe
2928	schtasks.exe
2860	schtasks.exe
2076	schtasks.exe
1984	schtasks.exe
916	schtasks.exe
3040	schtasks.exe
1808	schtasks.exe
2160	schtasks.exe
2152	schtasks.exe
2956	schtasks.exe
1812	schtasks.exe
1216	schtasks.exe
3000	schtasks.exe
2060	schtasks.exe
2648	schtasks.exe
2652	schtasks.exe
1868	schtasks.exe
2144	schtasks.exe
2348	schtasks.exe
1208	schtasks.exe
1660	schtasks.exe
596	schtasks.exe
876	schtasks.exe
2008	schtasks.exe
2892	schtasks.exe
2192	schtasks.exe
1484	schtasks.exe
2848	schtasks.exe
2668	schtasks.exe
1668	schtasks.exe
2332	schtasks.exe
2148	schtasks.exe
1156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2896	powershell.exe
1528	powershell.exe
2844	powershell.exe
2024	powershell.exe
1972	powershell.exe
2776	powershell.exe
2648	powershell.exe
1640	powershell.exe
1948	powershell.exe
1576	powershell.exe
2128	powershell.exe
2604	powershell.exe
2880	services.exe
1944	services.exe
2896	services.exe
2164	services.exe
3040	services.exe
2520	services.exe
1608	services.exe
1916	services.exe
2476	services.exe
1112	services.exe
2536	services.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2880	services.exe
Token: SeDebugPrivilege	1944	services.exe
Token: SeDebugPrivilege	2896	services.exe
Token: SeDebugPrivilege	2164	services.exe
Token: SeDebugPrivilege	3040	services.exe
Token: SeDebugPrivilege	2520	services.exe
Token: SeDebugPrivilege	1608	services.exe
Token: SeDebugPrivilege	1916	services.exe
Token: SeDebugPrivilege	2476	services.exe
Token: SeDebugPrivilege	1112	services.exe
Token: SeDebugPrivilege	2536	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1576	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	77
PID 1928 wrote to memory of 1576	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	77
PID 1928 wrote to memory of 1576	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	77
PID 1928 wrote to memory of 2776	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	78
PID 1928 wrote to memory of 2776	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	78
PID 1928 wrote to memory of 2776	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	78
PID 1928 wrote to memory of 2604	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	79
PID 1928 wrote to memory of 2604	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	79
PID 1928 wrote to memory of 2604	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	79
PID 1928 wrote to memory of 2648	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	80
PID 1928 wrote to memory of 2648	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	80
PID 1928 wrote to memory of 2648	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	80
PID 1928 wrote to memory of 2128	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	81
PID 1928 wrote to memory of 2128	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	81
PID 1928 wrote to memory of 2128	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	81
PID 1928 wrote to memory of 2844	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	82
PID 1928 wrote to memory of 2844	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	82
PID 1928 wrote to memory of 2844	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	82
PID 1928 wrote to memory of 1948	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	83
PID 1928 wrote to memory of 1948	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	83
PID 1928 wrote to memory of 1948	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	83
PID 1928 wrote to memory of 2896	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	84
PID 1928 wrote to memory of 2896	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	84
PID 1928 wrote to memory of 2896	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	84
PID 1928 wrote to memory of 1640	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	85
PID 1928 wrote to memory of 1640	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	85
PID 1928 wrote to memory of 1640	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	85
PID 1928 wrote to memory of 1528	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 1928 wrote to memory of 1528	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 1928 wrote to memory of 1528	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 1928 wrote to memory of 1972	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 1928 wrote to memory of 1972	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 1928 wrote to memory of 1972	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 1928 wrote to memory of 2024	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 1928 wrote to memory of 2024	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 1928 wrote to memory of 2024	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 1928 wrote to memory of 2196	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 1928 wrote to memory of 2196	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 1928 wrote to memory of 2196	1928	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 2196 wrote to memory of 2312	2196	cmd.exe	103
PID 2196 wrote to memory of 2312	2196	cmd.exe	103
PID 2196 wrote to memory of 2312	2196	cmd.exe	103
PID 2196 wrote to memory of 2880	2196	cmd.exe	104
PID 2196 wrote to memory of 2880	2196	cmd.exe	104
PID 2196 wrote to memory of 2880	2196	cmd.exe	104
PID 2880 wrote to memory of 2244	2880	services.exe	105
PID 2880 wrote to memory of 2244	2880	services.exe	105
PID 2880 wrote to memory of 2244	2880	services.exe	105
PID 2880 wrote to memory of 2596	2880	services.exe	106
PID 2880 wrote to memory of 2596	2880	services.exe	106
PID 2880 wrote to memory of 2596	2880	services.exe	106
PID 2244 wrote to memory of 1944	2244	WScript.exe	107
PID 2244 wrote to memory of 1944	2244	WScript.exe	107
PID 2244 wrote to memory of 1944	2244	WScript.exe	107
PID 1944 wrote to memory of 1728	1944	services.exe	108
PID 1944 wrote to memory of 1728	1944	services.exe	108
PID 1944 wrote to memory of 1728	1944	services.exe	108
PID 1944 wrote to memory of 1156	1944	services.exe	109
PID 1944 wrote to memory of 1156	1944	services.exe	109
PID 1944 wrote to memory of 1156	1944	services.exe	109
PID 1728 wrote to memory of 2896	1728	WScript.exe	110
PID 1728 wrote to memory of 2896	1728	WScript.exe	110
PID 1728 wrote to memory of 2896	1728	WScript.exe	110
PID 2896 wrote to memory of 1208	2896	services.exe	111

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
"C:\Users\Admin\AppData\Local\Temp\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2312
- - C:\Program Files\Java\jre7\bin\plugin2\services.exe
    "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161e531e-5182-404c-9541-feab352fdef9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1944
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9735eadc-3057-4fc4-9e00-6d365e2c9cc6.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8725d472-a553-47b4-83ce-d6ceea8d2825.vbs"
        8⤵
        
        PID:1208
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e7e26da-aed1-449f-997c-2ae0828f8485.vbs"
        10⤵
        
        PID:2128
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a60ff6ec-ee02-46a8-a547-750ef61970d1.vbs"
        12⤵
        
        PID:2904
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19fc761-429a-4791-81f8-ae184be97159.vbs"
        14⤵
        
        PID:1696
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a473e9c-f639-4f3d-b165-55aeb0bc2cf6.vbs"
        16⤵
        
        PID:1244
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddc7e7e4-9021-4dfa-8904-c00439df24b0.vbs"
        18⤵
        
        PID:1676
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc9e6975-2bcc-435a-a68b-1d48007beae0.vbs"
        20⤵
        
        PID:2240
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86872d97-8a3d-417d-b941-d2fe0faa1065.vbs"
        22⤵
        
        PID:2244
        
        C:\Program Files\Java\jre7\bin\plugin2\services.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\services.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\625b46bf-1247-4f12-80f9-cf75fe11160e.vbs"
        24⤵
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1bc331-b30e-4e6f-87c5-e97317104661.vbs"
        24⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ec4e58-489f-42ba-bc7d-72ade2bfaa8c.vbs"
        22⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecf001fb-bc6f-4ba1-b711-297e2d5fa36d.vbs"
        20⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b72d3ea1-5454-4f0a-85a9-37aa7ad17c59.vbs"
        18⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a65c57fe-d0ba-47c8-9b28-1fb16e60a344.vbs"
        16⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a297cf7d-66e0-4f24-9e45-cabcbf993b1b.vbs"
        14⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37d58e48-3006-4c58-bf34-8630ba231adf.vbs"
        12⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12c38ad8-30db-4859-88b2-4cb6eb5aed26.vbs"
        10⤵
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc2185a-273d-4114-917e-11951ea3d408.vbs"
        8⤵
        
        PID:1912
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f03186b-0ec3-4224-8ded-7cedff069eef.vbs"
        6⤵
        
        PID:1156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7155b68-e4dc-4e58-b84e-7b93d51d27bd.vbs"
      4⤵
      PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\plugin2\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f7649" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f7649" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXDBAD.tmp

Filesize
4.9MB

MD5
0c94b94a640a77b87cc87ca3ecfb7b0d

SHA1
030f0af4afcc306b87565c3d1231bc4e0de57ad3

SHA256
a57a2c02749a0a4e67c3bbaeb221d7293a6cb9aa22b206ab4a9e1c30aa1e6f3f

SHA512
1581996d19b988e4313d6b4efca06732387fa2ea207b0f254d13db52de85edd634ecec6998e0e98a4f65633aadefb44830c1d91f936cb23265ff9a791e34b4c5

Download Submit
C:\Program Files\Java\jre7\bin\plugin2\services.exe

Filesize
4.9MB

MD5
b1286b86dfaeabae006e1eceb1ba0c89

SHA1
7b3e82e4e5a51c061201c4cd210d4f99661e9f70

SHA256
179ecc73ba7da11c94e38dd84abad6f7d33d6424f3d47a7b089157d752873853

SHA512
4fd30a150c3189f6a9902b76067d139d54e13316b22daf8b823d925abe5676a4f0ffc2c0f90e7c32a8339f4932c71870c5e1ea63a36c7991be40f57ec71152d7

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe

Filesize
4.9MB

MD5
4da9ed14404a53268904e7dd6959f52b

SHA1
c3d798fd07decc8136c52523428d02610fad42c4

SHA256
9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764

SHA512
cba29b2cce4fa6211409fea7103d12f7ab4408e9c1916c77c2de44106a52a1d34eab1c73331768e5e8d49127b8bdd54d08a8ab4889a11fc80b03db11ce7fa284

Download Submit
C:\Users\Admin\AppData\Local\Temp\161e531e-5182-404c-9541-feab352fdef9.vbs

Filesize
727B

MD5
604bc56824d487672a3fed21031262f7

SHA1
09ebbdeee45997f2f1266fd1a7443571f474a3a5

SHA256
dcdd4f80ca5b68a72508e9af60c32bf20fb3643acafd9fa113c9107c7a2f4803

SHA512
dd608af3f2c4af8afe7797dc0f3d957069f1f5a83074328ce7d286d1b1a59c44fc156c82e8ee22b8f32c6e1ec7d5aeb42397dfaf04ab3fe80ca30ec138b0e056

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a473e9c-f639-4f3d-b165-55aeb0bc2cf6.vbs

Filesize
727B

MD5
8bdd4a66852d850676384775430fd9c4

SHA1
17b2bc53f76740546e12159dbbf7eb7f06b97969

SHA256
0f3fc6fb29af9d6cf5906769bf0f1e6d0082ff019939982fed9b7cde9a138275

SHA512
4c3e74ef4f0127a8fa820113028a71251474c5d05c8943f54252fde0260dea8ba0a7671641b7f8236134df40e64b21759813c39658ca1a97870a17cba2069864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat

Filesize
216B

MD5
adaee2496fb5cbadbf6ecd02163dccc8

SHA1
582aef8824bdc1cae3afe9cb02823cce62e6435e

SHA256
48b72e533dfb01b60fade9d6ee8d79aa1a6ed6aa9c28561b4456c213b1417893

SHA512
4bbe9841a8d2ac4e878f8ae6be0062fe9fb51f1f93ddd04d8417c59f8d572280f21aada959775d2c7aab38c0fb3a89fdf719e17b2cce57a95aecd9b2924baab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\625b46bf-1247-4f12-80f9-cf75fe11160e.vbs

Filesize
727B

MD5
39cec6844868f0504934b59b5cd3dbed

SHA1
c37b91dab5e9620db2d99252ddf478c54d3ac03a

SHA256
c2eba71e149ff713ea5fff6cce817562ae72d478ab611ef633e92f9af83f4c7c

SHA512
eafd9489819f14256d495153ea8e198a9aae5302194e547dd476584893e3c2bb42e4dd904b72da1c7cc4774f72bd3e74d4854e668580230827d871c4d721dc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\86872d97-8a3d-417d-b941-d2fe0faa1065.vbs

Filesize
727B

MD5
943a54f7926e3a903d69abecc562a8c7

SHA1
04e468ffe719eeac7322191e96deb100faa0bf55

SHA256
bdfd8de1a7bf567ebf90a236825c270602d8ef33aa816f3bfc2a2c70aee28e51

SHA512
f36a205eec5300e71ce6560aae5a3342944c801f900d80f2e83bef546316e3a96c644ce2adfa9c44ab27631bab45bdcddd35b01f7366b8298f13b7bcee9309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\8725d472-a553-47b4-83ce-d6ceea8d2825.vbs

Filesize
727B

MD5
28dacb3f217a2457777c3ec582bf5d2f

SHA1
9904244b728e5d0315eb5bf05824ec97735c8186

SHA256
297fb661a5d40a1b5ced44eaee53dbbdd46db777994cac52d11faa9caa322127

SHA512
615f33494a8e7905300d1f9763a2c07a07a1e926305ecd9755325103f85faeadb419f4b567d9953a19a6b57c9bfc7a9c6397310865bcd8a00d581c3003a5540d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e7e26da-aed1-449f-997c-2ae0828f8485.vbs

Filesize
727B

MD5
d4fc08374cbe2a03e963ab4879eee368

SHA1
979d4a3eda2c250f9c923e07de1454416b9555fa

SHA256
e6ae24f1126bfa10c6c6931852e28fc29ce1c6e67be7ccd79deeeb5b054b6496

SHA512
efa982e1c71e874805500226fe5a267e1fa15b09e9b25a0d09f3f6307dae9d4885b0b27de40d637cf74ff993664fcfbe77f88f3b8c10a2b73688e1136bb28b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9735eadc-3057-4fc4-9e00-6d365e2c9cc6.vbs

Filesize
727B

MD5
47bf5d2e9a36c49795f7030612cf32ee

SHA1
776549a966b917c43b69c962ecada237b4d77d92

SHA256
6f613c56c0f0069beb03b6b789fbd317b84a18e9cd585cdfd8745b6128f867b7

SHA512
b388e995cccaa66c2093d138ea89687759209b14c141f327171c99931b14c824983f561f66870fd47277ce0a65653452230e94460476cdaad5436c39251f5834

Download Submit
C:\Users\Admin\AppData\Local\Temp\a19fc761-429a-4791-81f8-ae184be97159.vbs

Filesize
727B

MD5
514c834d99869d91c4e24d113ceac292

SHA1
23e1bbe0cf3ffa867a351f156f2b4d427718d8d0

SHA256
fd9b84f6fb9ec1865c467732fc48bfc498349440e25b6c72e2013f09480244be

SHA512
12e5315bc29642adaf69b7d2df26217c4bf01db579c5b5510bbf031cc3d32cca89ba0aedbbb9022c18ae38ef71de497a6bcebbee820d964a81a9348f038f4989

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60ff6ec-ee02-46a8-a547-750ef61970d1.vbs

Filesize
727B

MD5
f7b62d7e3d297d82d40eaed32463ef85

SHA1
42ce4389c0739adc833dbc23cc6a8bd3f417e41a

SHA256
d1452550ae0f212b1d45195238adbeafa0fe43f524ca24f2d25330325e3cea19

SHA512
65a91b2505c30e5e8c312b31c0825cf83a87ad565f07c7f68ec9159f66777cd508170446057d047c83bd5b5aac88078f4c8078a3062049638b1e081f214a2f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc9e6975-2bcc-435a-a68b-1d48007beae0.vbs

Filesize
727B

MD5
f22a5cec31cceb759a314af9e2cb22cf

SHA1
93fe2faef2cd09dbc3ceeeebfbb2bfdc87604ac1

SHA256
5d51c5b6225bbf8ee9cdb966279f24b0e4ba8c45995bf6cb59a98e5f398df86e

SHA512
9e3de55c3275f583fb6b2863e5d30d8c5d34f5ca5dbb092aaa90b4d3fcb804e92d2b0fb7555faac1037be03a9a34eaa8bfe6404ecbf87c2f6ecae3a862ec1288

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddc7e7e4-9021-4dfa-8904-c00439df24b0.vbs

Filesize
727B

MD5
ebe3949394f9b8c6c40fd4b6ce70a232

SHA1
86b31417925d8983f9675e3193639f4942840d50

SHA256
566338f8231e5f0acac00ccd58eeee7677c44cef03ee42532ac6dd31016e79ec

SHA512
e5884df08c43e62a0229556651d8ecc3ffff8cb2c2e8aa6b2892af59b91f131df377e01075a0970167e666be0553b2150a0f6e485edf9fde04e59da277c84329

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7155b68-e4dc-4e58-b84e-7b93d51d27bd.vbs

Filesize
503B

MD5
d28d4690ab71d711aee2c7a806d06543

SHA1
5652ee253be843adf64ff127fcac62b50263d5b3

SHA256
4ab489143dafc86126497c50ed41e2718310e317454717413ab007ef17cfb9f6

SHA512
c9016ef3ac60c83ee8bbd156b45c4317924697dab38e0fe1d735a2912e67c085e6739b5adf283533bcad1f6a7efbd3d8843e88abf3e6a55004b6ec55e83d986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBRRQMZ2QO3319YENIWP.temp

Filesize
7KB

MD5
733e2e04996b520066317c8e0a65dc5f

SHA1
a56dd061a4631c27094e2333b741297ad46160bd

SHA256
a622a98541b5da14a18e8583431870bdafc842618c793cc4408157f7cd338283

SHA512
e8789979b4e2fbaa04c779657700d28ef5cd5671b9bb3a6c7a40a5aca8bf0a7a1c5005211b90c3f8215faddf9fccc07bc32dea5a0a0d0298883ee9aced219c26

Download Submit
C:\Users\Admin\RCXDDB1.tmp

Filesize
4.9MB

MD5
70620a70da0e06df492e65b1f6efb3ac

SHA1
20251b41ac2f943046b0a5108151367dc61391bc

SHA256
449c113e2f543086233c629bd365cd72e9c5c4b286973709adee0f4324f19c75

SHA512
afc9b792853c15e0e52c8f4b1251575ab4ff336b76515fcc77456177fa4e4df6eca0290ca043e9912e408073b08bdeb83b67a2cabdc74fc1ced3b949565bb2ea

Download Submit
memory/1608-305-0x0000000001070000-0x0000000001564000-memory.dmp

Filesize
5.0MB

Download
memory/1928-16-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1928-14-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/1928-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/1928-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-126-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1928-180-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-15-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/1928-3-0x000000001B5F0000-0x000000001B71E000-memory.dmp

Filesize
1.2MB

Download
memory/1928-10-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/1928-13-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/1928-12-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/1928-140-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1928-4-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/1928-6-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1928-8-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1928-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1928-5-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1928-9-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/1928-11-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2476-334-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/2520-290-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2880-220-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2880-219-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/2896-173-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2896-168-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download