dcrat | e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe
Size

2.2MB
MD5

811005c699096acecde84aeea48d9890
SHA1

077c2a11dde5d10e7a8a8f391066430725c40a8d
SHA256

e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954
SHA512

68a4ac32adee2769fdd34e2c94905763cae902dac876b858d08adcd9a4db2534fd326eabbd0ef3c96ed5b5c5bc2f3a9a95081c258ec90fe75948d3f2f52f22ce
SSDEEP

49152:PBlOTclcGVNEBuUSDgrP+7m+Ej7rTXEjEmr:Z4TclcwED+7m+Afmr

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Windows\\tracing\\cmd.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Windows\\tracing\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Windows\\tracing\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\taskhost.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\", \"C:\\Windows\\tracing\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\taskhost.exe\", \"C:\\blockWin\\Comagentrefhostmonitor.exe\""	Comagentrefhostmonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1720	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
1640	powershell.exe
2652	powershell.exe
984	powershell.exe
1068	powershell.exe
1672	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2676	Comagentrefhostmonitor.exe
2688	spoolsv.exe
2904	spoolsv.exe
2304	spoolsv.exe
856	spoolsv.exe
2332	spoolsv.exe
1060	spoolsv.exe
2472	spoolsv.exe
2848	spoolsv.exe
2116	spoolsv.exe
2452	spoolsv.exe
1368	spoolsv.exe
2524	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\taskhost.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\taskhost.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\tracing\\cmd.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Comagentrefhostmonitor = "\"C:\\blockWin\\Comagentrefhostmonitor.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Comagentrefhostmonitor = "\"C:\\blockWin\\Comagentrefhostmonitor.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\spoolsv.exe\""	Comagentrefhostmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\tracing\\cmd.exe\""	Comagentrefhostmonitor.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4851513345C3443CB366A54D6108B8.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe	Comagentrefhostmonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe	Comagentrefhostmonitor.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b75386f1303e64	Comagentrefhostmonitor.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe	Comagentrefhostmonitor.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\f3b6ecef712a24	Comagentrefhostmonitor.exe
File created	C:\Program Files\VideoLAN\VLC\explorer.exe	Comagentrefhostmonitor.exe
File created	C:\Program Files\VideoLAN\VLC\7a0fd90576e088	Comagentrefhostmonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tracing\cmd.exe	Comagentrefhostmonitor.exe
File created	C:\Windows\tracing\ebf1f9fa8afd6d	Comagentrefhostmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2276	PING.EXE
1284	PING.EXE
2756	PING.EXE
2816	PING.EXE
3068	PING.EXE
1052	PING.EXE
2028	PING.EXE
2800	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Comagentrefhostmonitor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Comagentrefhostmonitor.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
2816	PING.EXE
3068	PING.EXE
1052	PING.EXE
2028	PING.EXE
2800	PING.EXE
2276	PING.EXE
1284	PING.EXE
2756	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
1064	schtasks.exe
2412	schtasks.exe
2032	schtasks.exe
1680	schtasks.exe
1472	schtasks.exe
2052	schtasks.exe
1184	schtasks.exe
2540	schtasks.exe
2548	schtasks.exe
2104	schtasks.exe
2492	schtasks.exe
2308	schtasks.exe
2208	schtasks.exe
2520	schtasks.exe
2736	schtasks.exe
2276	schtasks.exe
2440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe
2676	Comagentrefhostmonitor.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	Comagentrefhostmonitor.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2688	spoolsv.exe
Token: SeDebugPrivilege	2904	spoolsv.exe
Token: SeDebugPrivilege	2304	spoolsv.exe
Token: SeDebugPrivilege	856	spoolsv.exe
Token: SeDebugPrivilege	2332	spoolsv.exe
Token: SeDebugPrivilege	1060	spoolsv.exe
Token: SeDebugPrivilege	2472	spoolsv.exe
Token: SeDebugPrivilege	2848	spoolsv.exe
Token: SeDebugPrivilege	2116	spoolsv.exe
Token: SeDebugPrivilege	2452	spoolsv.exe
Token: SeDebugPrivilege	1368	spoolsv.exe
Token: SeDebugPrivilege	2524	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1132	2172	e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe	30
PID 2172 wrote to memory of 1132	2172	e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe	30
PID 2172 wrote to memory of 1132	2172	e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe	30
PID 2172 wrote to memory of 1132	2172	e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe	30
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2676 wrote to memory of 2076	2676	Comagentrefhostmonitor.exe	38
PID 2676 wrote to memory of 2076	2676	Comagentrefhostmonitor.exe	38
PID 2676 wrote to memory of 2076	2676	Comagentrefhostmonitor.exe	38
PID 2076 wrote to memory of 1268	2076	csc.exe	40
PID 2076 wrote to memory of 1268	2076	csc.exe	40
PID 2076 wrote to memory of 1268	2076	csc.exe	40
PID 2676 wrote to memory of 2180	2676	Comagentrefhostmonitor.exe	56
PID 2676 wrote to memory of 2180	2676	Comagentrefhostmonitor.exe	56
PID 2676 wrote to memory of 2180	2676	Comagentrefhostmonitor.exe	56
PID 2676 wrote to memory of 1672	2676	Comagentrefhostmonitor.exe	57
PID 2676 wrote to memory of 1672	2676	Comagentrefhostmonitor.exe	57
PID 2676 wrote to memory of 1672	2676	Comagentrefhostmonitor.exe	57
PID 2676 wrote to memory of 1068	2676	Comagentrefhostmonitor.exe	59
PID 2676 wrote to memory of 1068	2676	Comagentrefhostmonitor.exe	59
PID 2676 wrote to memory of 1068	2676	Comagentrefhostmonitor.exe	59
PID 2676 wrote to memory of 984	2676	Comagentrefhostmonitor.exe	60
PID 2676 wrote to memory of 984	2676	Comagentrefhostmonitor.exe	60
PID 2676 wrote to memory of 984	2676	Comagentrefhostmonitor.exe	60
PID 2676 wrote to memory of 2652	2676	Comagentrefhostmonitor.exe	61
PID 2676 wrote to memory of 2652	2676	Comagentrefhostmonitor.exe	61
PID 2676 wrote to memory of 2652	2676	Comagentrefhostmonitor.exe	61
PID 2676 wrote to memory of 1640	2676	Comagentrefhostmonitor.exe	62
PID 2676 wrote to memory of 1640	2676	Comagentrefhostmonitor.exe	62
PID 2676 wrote to memory of 1640	2676	Comagentrefhostmonitor.exe	62
PID 2676 wrote to memory of 1344	2676	Comagentrefhostmonitor.exe	68
PID 2676 wrote to memory of 1344	2676	Comagentrefhostmonitor.exe	68
PID 2676 wrote to memory of 1344	2676	Comagentrefhostmonitor.exe	68
PID 1344 wrote to memory of 1892	1344	cmd.exe	70
PID 1344 wrote to memory of 1892	1344	cmd.exe	70
PID 1344 wrote to memory of 1892	1344	cmd.exe	70
PID 1344 wrote to memory of 2816	1344	cmd.exe	71
PID 1344 wrote to memory of 2816	1344	cmd.exe	71
PID 1344 wrote to memory of 2816	1344	cmd.exe	71
PID 1344 wrote to memory of 2688	1344	cmd.exe	72
PID 1344 wrote to memory of 2688	1344	cmd.exe	72
PID 1344 wrote to memory of 2688	1344	cmd.exe	72
PID 2688 wrote to memory of 2900	2688	spoolsv.exe	73
PID 2688 wrote to memory of 2900	2688	spoolsv.exe	73
PID 2688 wrote to memory of 2900	2688	spoolsv.exe	73
PID 2900 wrote to memory of 2772	2900	cmd.exe	75
PID 2900 wrote to memory of 2772	2900	cmd.exe	75
PID 2900 wrote to memory of 2772	2900	cmd.exe	75
PID 2900 wrote to memory of 3068	2900	cmd.exe	76
PID 2900 wrote to memory of 3068	2900	cmd.exe	76
PID 2900 wrote to memory of 3068	2900	cmd.exe	76
PID 2900 wrote to memory of 2904	2900	cmd.exe	78
PID 2900 wrote to memory of 2904	2900	cmd.exe	78
PID 2900 wrote to memory of 2904	2900	cmd.exe	78
PID 2904 wrote to memory of 2428	2904	spoolsv.exe	79
PID 2904 wrote to memory of 2428	2904	spoolsv.exe	79
PID 2904 wrote to memory of 2428	2904	spoolsv.exe	79
PID 2428 wrote to memory of 2540	2428	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe
"C:\Users\Admin\AppData\Local\Temp\e6799f5c6d46b85d714bbc3d2a36ebf9a2dbd9d83026ba6244c9c31ba741f954N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockWin\QczNALuWvOKdV5GMhjevKaFBtf1SKR43.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockWin\CUwZnCRbzO0L1SQ5kaGKXQS6kJiyEtx7efZNn9fMWQtXRSgTCWGRArJObrct.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\blockWin\Comagentrefhostmonitor.exe
      "C:\blockWin/Comagentrefhostmonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3f42yep\j3f42yep.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81BD.tmp" "c:\Windows\System32\CSC4851513345C3443CB366A54D6108B8.TMP"
        6⤵
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockWin\Comagentrefhostmonitor.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oznmqIjDn6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1892
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
      - C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bviytIjYVg.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2248
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bdGnfK5Vvn.bat"
        11⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3032
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GJEc11R9oa.bat"
        13⤵
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1920
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat"
        15⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1dc23k5BXS.bat"
        17⤵
        
        PID:352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2028
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat"
        19⤵
        
        PID:1484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yjLtiCBkS.bat"
        21⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2896
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat"
        23⤵
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dskflg4gU2.bat"
        25⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1284
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ShtBqUILw0.bat"
        27⤵
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1636
        
        C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat"
        29⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComagentrefhostmonitorC" /sc MINUTE /mo 14 /tr "'C:\blockWin\Comagentrefhostmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comagentrefhostmonitor" /sc ONLOGON /tr "'C:\blockWin\Comagentrefhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComagentrefhostmonitorC" /sc MINUTE /mo 11 /tr "'C:\blockWin\Comagentrefhostmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dc23k5BXS.bat

Filesize
186B

MD5
b5ce3923168758aa2e4e424e63b00480

SHA1
c5aa44620a76a732f94f406f8d58a4e86e368aed

SHA256
a277f990d39025103a6898095cbf1d0de4c23258f12d1d64e32e792ea76b955a

SHA512
d19cea08bea727980c33fc38965c66ac9757b8a81aca2fcb5e9a8e13a77510e4d4e3186f3c2850b24a3ebf1bdc7bf2f808eea1a1727fb398627c5388da392961

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yjLtiCBkS.bat

Filesize
234B

MD5
e43190547234688eb6b0de811cb47465

SHA1
57f2a55a48ca6eb805ddd3e085c0960b9dc618e3

SHA256
1049cbc6f3d887a14788baf6e8b1ddd3e7b84ad28d89a98ae86308f33b3616d4

SHA512
d533e945c1a66e8c9bee44f0130c87820283140b399af49885abf9d6b2436c1cb50f9568f4e0a9950922dd875427e964e1795cc5d3ceb1fb37813b6d18270946

Download Submit
C:\Users\Admin\AppData\Local\Temp\84x6wBxxuC.bat

Filesize
186B

MD5
a3421eebd2a467b84e1dd9e2332efb55

SHA1
feb318057b61a7f827bc78eb53d5addb1b7116e3

SHA256
6a2f398d70d65516aa07d547fc05c71c99e5bd09566542293252e6b62287666b

SHA512
48bf3f20edbac89d73ab07e30356879db33fee0abed9f50505d90022d0e5c8ac062a9a2c6776e7a3cd720729f751135c4634c3a3ea75cf1649b5333d554fcde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9O9rrJCHDg.bat

Filesize
186B

MD5
a63b6ba55fbfb0a74c43cb952a3ca481

SHA1
6193fe9237a57aea4b9af0a6960321933de32e66

SHA256
997a7d90fdbfcbefcba3eb4c4a5815c461201ae708a73154d6807bac146d5e18

SHA512
9d96767573c63e5cf0e44aab9afdce1a7c8004783e67635005082f1425a4e614f1d5d41be15e4cadbb2aa9984bb6ef4a4fbeea38430f1abc78fdf76e75037bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dskflg4gU2.bat

Filesize
186B

MD5
920450360772aadc6eb49ece1419dcb7

SHA1
c38237449a2c0a971da9987ec4e69731818ce313

SHA256
fa973cf00a991df831b0a2dc3f71ecd7fa7773fcd374abc7e1c7967281d59cf1

SHA512
bcf0fe0bc8c40b56e6b0fcb8be0888b0bc16350a461c4f4a7c9e92e212b21ec9e092624c68682d9eca736937156b55f28b19d27fc6668f05a04231627c553cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJEc11R9oa.bat

Filesize
234B

MD5
b0ae345662d9c5a85b8113c724e3c3af

SHA1
a7f240e013261ec5cb483ac8ddd59006e77bbc45

SHA256
044e36a466cf05a88733f50b74cc3f9c0c930b9a5c9ce3b7a95b52101bf923ee

SHA512
85e1a42ad170968ce86c5ceab2a9491921278ca6d6c20903939547d1a964e7f2e876170d56571f4772424a0e1bd580b379abb14db5ffebd69e2f460c17a0a3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat

Filesize
186B

MD5
e5a5ed5f6f63bde2a2177d2affffaf3c

SHA1
73686ddb5f88123359b3da46933e3f7cd6e9895e

SHA256
c3dee6e90323cc7af1940b8a045ddded4f033b1d6316953a742596c582cef43f

SHA512
08026d3607ec44cf5e2756dba424de07a071aa976f8d58689cf1aa8da933dd6a78045f08dfdff409a14f81dd1e8198ff52285c7f369cbb697aaefba8bbef83a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81BD.tmp

Filesize
1KB

MD5
65a72217e8c246621e6ac6c1e205ad09

SHA1
f56ab73d33c7210a07e9137415de36b15145f163

SHA256
fedeb3427c10161594013b761cf641cc593532cd732543d804d6d6547a857275

SHA512
847dc9f1a3af2a27c835a8175d370019f7c041de27c476cd36540b01d3091a99a6ac0b87b32cae917650dbab249f845b88dfd66b3474a0e278fdcfacddb24fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShtBqUILw0.bat

Filesize
234B

MD5
5e27308925b2fcb56d5337ad4a18fa1d

SHA1
c9a91912734e65207ca9be444f62946b9bdbd23e

SHA256
83621931fa29c279b832c8f109cfc19a2157e59c45e7694b179fdc8d63b67e81

SHA512
538015f013c648159b11ba9ff16a2fb1a791641cdbdde57863d7dbaf608a356c4755dea96d93f4c6ec6b141b8796a056c5f54473c3d6c954a52445bf53128014

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdGnfK5Vvn.bat

Filesize
234B

MD5
9eff22f3f51eb726856251eb9b2400d1

SHA1
2603bf4931d6f42cdb46609a04e82e1f6de14d78

SHA256
28c19887ec5008f1a4808ff6cf3ad55a0ec407a466466da7732df23d098e8bc4

SHA512
771574376ebb65c9d2b2053e96f51ebb94d11264c6abf91c40b4817a6138dcc83ceeba29e4d22d36348b34d82539f2efb10235fdd15c8f9710b00225e96346ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bviytIjYVg.bat

Filesize
234B

MD5
300da2638bcefd154373e7541e849def

SHA1
25f6ef49cbfe49be504b414f5f45b3ef1b8f0e69

SHA256
2d09628da7180bf6d675fd6c8747193ec9e3dee6437c9895b06287ce022f8dfe

SHA512
3514f28b369b881a9a886b7594b807240f8050bcae1b4e4da68b5e660bccc2932ce6d75df7ee886bbad7c163c3b2182bd5c476fad197e4d5f56dd65979735535

Download Submit
C:\Users\Admin\AppData\Local\Temp\oznmqIjDn6.bat

Filesize
186B

MD5
5c453d7680deb66c490b5da92b1837e1

SHA1
e26b895e7653a64f174b39d75cb4e0489c9e5786

SHA256
524c24d2f3cdf4266acc1d0d67ead25a179f3a0d817e1e5ed7226c3424d9b045

SHA512
7659dc4731bda58fbebcdfbdf1d718fa60fb33fb7e272e757194ea47655de17e5cfa83a0657a7c2ef5ef693c4fe26b2fed950dc00814fd569617a6818db246b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgniDsG2Ey.bat

Filesize
186B

MD5
c5136933a19dffe156054e03ea6ff0f2

SHA1
0c047736f02146e02d086aba3a1b12a0d84497a9

SHA256
8db397100a41803fea162f110a6b3c222021a5794d786c49e192622d530f1d15

SHA512
b67f782cb4782f620f3a73fee5104e102f74c7f68e3bb0cdc756b9a215dfb782bc01c1dadcb246cf9d35a2e162b98c903add20f2f884f8aca7161fbdfd3eb2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuGXyMaJvX.bat

Filesize
186B

MD5
aec9b61eaa703a185d6aa7299748d488

SHA1
96a95796257afe4002ce77da8da59837974f0e01

SHA256
e3c94950be486e0a3d71b242faee8ee75593df3cd96a5f1014c2d95d590507d2

SHA512
079f9df03fb8f156725d7d2732a4b3f82e7cca61f61abc43f606042690c5885dd3d732dfd4712e79448bcf66a51ba29d31dd8747621ce6587446ecec3ac0be52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d37a446ba368700848639dd2e434e5

SHA1
49a31fa0d265712ec9154f9bf2d7e415f73751a7

SHA256
e9f6c23b04fd0d7a23c870d2f52e8a4e14390a6dc0d64c12519bfc3d9b5e48e4

SHA512
87c4899866e573e7f4b20cd2fba1b695fd8708d2d233dae266f231580858cf3fa0df1f577d90ec5dd57b9bb7840391c1d7a83ae926eda6a8cf6234c117b5f149

Download Submit
C:\blockWin\CUwZnCRbzO0L1SQ5kaGKXQS6kJiyEtx7efZNn9fMWQtXRSgTCWGRArJObrct.bat

Filesize
83B

MD5
f078b29caca72c6428bfcaf55792c6cb

SHA1
fca4dd62839c1528e5a94e5919ce35e4fc40c1a7

SHA256
44f29540b36bfd51914e93e014e7a093c6b03e743d95828926f0e30c26fc4a91

SHA512
1d6a71a59e683e9af4d316b24aebd825f80b00cd1b35ae4c100e991b46ff9e246855fffee628ea52f652890e720544cc6401ef692ba688068955063eb5c714f5

Download Submit
C:\blockWin\QczNALuWvOKdV5GMhjevKaFBtf1SKR43.vbe

Filesize
246B

MD5
9314b628cc986c5564f4833d34bdc013

SHA1
8fea451199337e6c51e2d5b9e2863ced636bb26a

SHA256
03f87dddda939712917dc97d565a36c5d8e60daa960e4abb1b13844052bfd6f2

SHA512
efb1b56afd3e1b35286e74805176145d258dd04ae91b804dae14dde11d12e6bc57d78899f5f9c6c02a779bc6df7c9949ce5c30477949f7fd64c57d975aac73b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3f42yep\j3f42yep.0.cs

Filesize
374B

MD5
48a262baee35c9b1d4ba502eccede0cd

SHA1
5fdf92aaef988d8c90e3167524a31c4568bb3e39

SHA256
de5d8c513970a7b24822f3641b50dae9d5d6894f90f7abde2bb13d13501e05e2

SHA512
34bf8ca031b4160ebf56f748a359a546cb93a888d2eeb60ca7a7ed68f7db1ecfd59c2f4617270c81b763918dd4b33b908abda18bb4dd702866c67a163898a398

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3f42yep\j3f42yep.cmdline

Filesize
235B

MD5
29a6d04fe0513f94567dd957b44f4eb5

SHA1
54a5613e043d8df328d8471c381b0ca69ef7be5b

SHA256
3a6398a1c68e65fece0a5b41304327e4cfcccd7c05157b77534fc858fdf0bfab

SHA512
592cc1c7b0b2988da2f46d48c87f390d35dcd6e77c7902a6804f30fb4d9f46c9b1dcc722f3563eb6c476640dc1149dd8fa7ae33a5121d5db2dcc837a18eb1b59

Download Submit
\??\c:\Windows\System32\CSC4851513345C3443CB366A54D6108B8.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
\blockWin\Comagentrefhostmonitor.exe

Filesize
1.9MB

MD5
a19401a25e01b8d445cbf8ea44e3afc8

SHA1
0b07e166c910b8ad804ead6ff773567c9c294f6b

SHA256
e9a8f5dfb353acce92b0ff5ebaaa45e7089f51336b356d78dc6bdb1b70df25b1

SHA512
4aa2ba3196df2bf749136eaa43a202ef19bd479d8553730dba530ced71954a521a524cf8d3871141a3f203d29830927c5db39aa96e147673b60b85c5b595edff

Download Submit
memory/856-126-0x0000000000E70000-0x0000000001056000-memory.dmp

Filesize
1.9MB

Download
memory/1060-151-0x0000000000EB0000-0x0000000001096000-memory.dmp

Filesize
1.9MB

Download
memory/1368-216-0x00000000010E0000-0x00000000012C6000-memory.dmp

Filesize
1.9MB

Download
memory/1640-82-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2180-72-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2304-113-0x0000000000D90000-0x0000000000F76000-memory.dmp

Filesize
1.9MB

Download
memory/2452-203-0x0000000000240000-0x0000000000426000-memory.dmp

Filesize
1.9MB

Download
memory/2524-229-0x0000000000380000-0x0000000000566000-memory.dmp

Filesize
1.9MB

Download
memory/2676-21-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2676-19-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/2676-17-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/2676-15-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2676-23-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2676-13-0x00000000001D0000-0x00000000003B6000-memory.dmp

Filesize
1.9MB

Download
memory/2676-25-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2688-87-0x0000000001020000-0x0000000001206000-memory.dmp

Filesize
1.9MB

Download
memory/2848-177-0x00000000013A0000-0x0000000001586000-memory.dmp

Filesize
1.9MB

Download
memory/2904-100-0x00000000002B0000-0x0000000000496000-memory.dmp

Filesize
1.9MB

Download