dcrat | b5f49743e9537684fc2980a4082f8f69a541d961136fa8177f08c673fc064b40

Analysis

max time kernel
150s
max time network
113s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

srtware loader.exe
Size

2.0MB
MD5

bf46ce4d79a8b92ca7bcd9d5812d9953
SHA1

2ee8548524b14ff778186a04f4d845c91165e9d7
SHA256

9938ba00ef26ff2e084cb062f4cc2ab5c85261fbddfe4a366fb3a2057e1b8098
SHA512

fba9cbf2e5c3eacacb55f6f947369a24205a92e7c6ea2f357050a20ef7768b242d53343a39dcaf3768955510e63b91096235e612b15687796ec63264c33a28b0
SSDEEP

768:palonD1HAe0yKidgBpZLUliXgxOVXzcfQw7m:pa2nDdQidgBrLG3mqm

Score

10^/10

dcrat phemedrone credential_access discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6588835363:AAFQ228ubBfAgsCooCro8OibbaVCsDtoWIE/sendDocument

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

driverBrokerhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\", \"C:\\Windows\\tracing\\wininit.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\", \"C:\\Windows\\tracing\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\", \"C:\\Windows\\tracing\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\", \"C:\\Windows\\tracing\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\ContainerSvc\\driverBrokerhost.exe\""	driverBrokerhost.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5952	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5308	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5620	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5848	2892	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5860	powershell.exe
2436	powershell.exe
1236	powershell.exe
5896	powershell.exe
5892	powershell.exe
5884	powershell.exe
5876	powershell.exe
5868	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 31 IoCs

Processes:

aav.scrhoch.scrbbx.scrcgubbeednxkm.exedriverBrokerhost.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.execgubbeednxkm.exe

pid	process
1444	aav.scr
3156	hoch.scr
3352	bbx.scr
380	cgubbeednxkm.exe
244	driverBrokerhost.exe
556	cgubbeednxkm.exe
4512	cgubbeednxkm.exe
4444	cgubbeednxkm.exe
5668	cgubbeednxkm.exe
5196	cgubbeednxkm.exe
5248	cgubbeednxkm.exe
5272	cgubbeednxkm.exe
1752	cgubbeednxkm.exe
4116	cgubbeednxkm.exe
3680	cgubbeednxkm.exe
1644	cgubbeednxkm.exe
4044	cgubbeednxkm.exe
3412	cgubbeednxkm.exe
4984	cgubbeednxkm.exe
2532	cgubbeednxkm.exe
2996	cgubbeednxkm.exe
640	cgubbeednxkm.exe
5292	cgubbeednxkm.exe
5348	cgubbeednxkm.exe
5376	cgubbeednxkm.exe
5472	cgubbeednxkm.exe
5528	cgubbeednxkm.exe
1600	cgubbeednxkm.exe
3520	cgubbeednxkm.exe
3736	cgubbeednxkm.exe
2940	cgubbeednxkm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

driverBrokerhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\driverBrokerhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\ContainerSvc\\driverBrokerhost.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\driverBrokerhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\ContainerSvc\\driverBrokerhost.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Windows NT\\Accessories\\Registry.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\tracing\\wininit.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\tracing\\wininit.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	driverBrokerhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\""	driverBrokerhost.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCC451B391125441FA8AB4FF3B147D48F5.TMP	csc.exe
File created	\??\c:\Windows\System32\qq0pbq.exe	csc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cgubbeednxkm.exe

description pid process target process

PID 380 set thread context of 2008 380 cgubbeednxkm.exe conhost.exe

description	pid	process	target process
PID 380 set thread context of 2008	380	cgubbeednxkm.exe	conhost.exe

Drops file in Program Files directory 5 IoCs

Processes:

driverBrokerhost.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\services.exe	driverBrokerhost.exe
File opened for modification	C:\Program Files (x86)\Google\services.exe	driverBrokerhost.exe
File created	C:\Program Files (x86)\Google\c5b4cb5e9653cc	driverBrokerhost.exe
File created	C:\Program Files\Windows NT\Accessories\Registry.exe	driverBrokerhost.exe
File created	C:\Program Files\Windows NT\Accessories\ee2ad38f3d4382	driverBrokerhost.exe

Drops file in Windows directory 2 IoCs

Processes:

driverBrokerhost.exe

description ioc process

File created C:\Windows\tracing\wininit.exe driverBrokerhost.exe
File created C:\Windows\tracing\56085415360792 driverBrokerhost.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1376 sc.exe
2364 sc.exe
5748 sc.exe
1076 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\tracing\wininit.exe	driverBrokerhost.exe
File created	C:\Windows\tracing\56085415360792	driverBrokerhost.exe

pid	process
1376	sc.exe
2364	sc.exe
5748	sc.exe
1076	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

srtware loader.execmd.execmd.exeWScript.exepowershell.execmd.exeaav.scrpowershell.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srtware loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aav.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

5192 PING.EXE

pid	process
5192	PING.EXE

Modifies registry class 2 IoCs

Processes:

aav.scrdriverBrokerhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	aav.scr
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	driverBrokerhost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5192 PING.EXE

pid	process
5192	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
5308	schtasks.exe
5492	schtasks.exe
5620	schtasks.exe
1348	schtasks.exe
5824	schtasks.exe
5444	schtasks.exe
5552	schtasks.exe
5580	schtasks.exe
5784	schtasks.exe
5848	schtasks.exe
5952	schtasks.exe
5468	schtasks.exe
5528	schtasks.exe
5700	schtasks.exe
5736	schtasks.exe
1696	schtasks.exe
5144	schtasks.exe
5660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hoch.scrpowershell.exepowershell.exebbx.scrcgubbeednxkm.exedriverBrokerhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3156	hoch.scr
3156	hoch.scr
2436	powershell.exe
2436	powershell.exe
1236	powershell.exe
1236	powershell.exe
3352	bbx.scr
3352	bbx.scr
3352	bbx.scr
3352	bbx.scr
380	cgubbeednxkm.exe
380	cgubbeednxkm.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
244	driverBrokerhost.exe
5896	powershell.exe
5876	powershell.exe
5860	powershell.exe
5884	powershell.exe
5884	powershell.exe
5860	powershell.exe
5868	powershell.exe
5868	powershell.exe
5892	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

srtware loader.exehoch.scrpowershell.exepowershell.exedriverBrokerhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3092	srtware loader.exe
Token: SeDebugPrivilege	3156	hoch.scr
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	244	driverBrokerhost.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	5892	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

srtware loader.execmd.execmd.execmd.exeaav.scrWScript.execmd.execgubbeednxkm.exedriverBrokerhost.execsc.execmd.exe

description	pid	process	target process
PID 3092 wrote to memory of 4144	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 4144	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 4144	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 3992	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 3992	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 3992	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 5080	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 5080	3092	srtware loader.exe	cmd.exe
PID 3092 wrote to memory of 5080	3092	srtware loader.exe	cmd.exe
PID 4144 wrote to memory of 1444	4144	cmd.exe	aav.scr
PID 4144 wrote to memory of 1444	4144	cmd.exe	aav.scr
PID 4144 wrote to memory of 1444	4144	cmd.exe	aav.scr
PID 5080 wrote to memory of 3156	5080	cmd.exe	hoch.scr
PID 5080 wrote to memory of 3156	5080	cmd.exe	hoch.scr
PID 3992 wrote to memory of 3352	3992	cmd.exe	bbx.scr
PID 3992 wrote to memory of 3352	3992	cmd.exe	bbx.scr
PID 1444 wrote to memory of 5220	1444	aav.scr	WScript.exe
PID 1444 wrote to memory of 5220	1444	aav.scr	WScript.exe
PID 1444 wrote to memory of 5220	1444	aav.scr	WScript.exe
PID 3092 wrote to memory of 2436	3092	srtware loader.exe	powershell.exe
PID 3092 wrote to memory of 2436	3092	srtware loader.exe	powershell.exe
PID 3092 wrote to memory of 2436	3092	srtware loader.exe	powershell.exe
PID 5220 wrote to memory of 4740	5220	WScript.exe	cmd.exe
PID 5220 wrote to memory of 4740	5220	WScript.exe	cmd.exe
PID 5220 wrote to memory of 4740	5220	WScript.exe	cmd.exe
PID 4740 wrote to memory of 1236	4740	cmd.exe	powershell.exe
PID 4740 wrote to memory of 1236	4740	cmd.exe	powershell.exe
PID 4740 wrote to memory of 1236	4740	cmd.exe	powershell.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 380 wrote to memory of 2008	380	cgubbeednxkm.exe	conhost.exe
PID 4740 wrote to memory of 244	4740	cmd.exe	driverBrokerhost.exe
PID 4740 wrote to memory of 244	4740	cmd.exe	driverBrokerhost.exe
PID 244 wrote to memory of 5332	244	driverBrokerhost.exe	csc.exe
PID 244 wrote to memory of 5332	244	driverBrokerhost.exe	csc.exe
PID 5332 wrote to memory of 5400	5332	csc.exe	cvtres.exe
PID 5332 wrote to memory of 5400	5332	csc.exe	cvtres.exe
PID 244 wrote to memory of 5860	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5860	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5868	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5868	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5876	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5876	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5884	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5884	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5892	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5892	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5896	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 5896	244	driverBrokerhost.exe	powershell.exe
PID 244 wrote to memory of 4464	244	driverBrokerhost.exe	cmd.exe
PID 244 wrote to memory of 4464	244	driverBrokerhost.exe	cmd.exe
PID 4464 wrote to memory of 4572	4464	cmd.exe	chcp.com
PID 4464 wrote to memory of 4572	4464	cmd.exe	chcp.com
PID 4464 wrote to memory of 5192	4464	cmd.exe	PING.EXE
PID 4464 wrote to memory of 5192	4464	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\srtware loader.exe
"C:\Users\Admin\AppData\Local\Temp\srtware loader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\aav.scr
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\aav.scr
    C:\Users\Admin\AppData\Local\Temp\aav.scr
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ContainerSvc\ZiOdZcQwKJ8RQo6XUUcZMF0HmG7dX8mZOGDPaR5TSJjBqPvcu2Q.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ContainerSvc\JQVMe0q2KkCJwRINY0yWHphGmCQw.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
      - C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe
        
        "C:\Users\Admin\AppData\Roaming\ContainerSvc/driverBrokerhost.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vo1rnxae\vo1rnxae.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5332
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD438.tmp" "c:\Windows\System32\CSCC451B391125441FA8AB4FF3B147D48F5.TMP"
        8⤵
        
        PID:5400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0eLotxrMea.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\bbx.scr
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\bbx.scr
    C:\Users\Admin\AppData\Local\Temp\bbx.scr
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3352
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XEGVIBGW"
      4⤵
      Launches sc.exe
      PID:2364
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XEGVIBGW" binpath= "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1376
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XEGVIBGW"
      4⤵
      Launches sc.exe
      PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start %localappdata%\Temp\hoch.scr
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\hoch.scr
    C:\Users\Admin\AppData\Local\Temp\hoch.scr
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2008
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:556
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4444
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5668
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5196
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5248
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5272
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:3680
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1644
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4044
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:3412
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:640
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5292
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5348
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5376
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5472
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:5528
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:1600
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:3520
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:3736
- - C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe
    "C:\ProgramData\bdgqvfkbuyec\cgubbeednxkm.exe"
    3⤵
    - Executes dropped EXE
    PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\tracing\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverBrokerhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverBrokerhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverBrokerhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e7f5bf81743c4743325cca1c3fd7deda

SHA1
0484834aac1937002bf0e94df60c5cdc4714683d

SHA256
e7ffb7a358ba41d57ac86d90769f6a57ccdaa988de6ae35a340526baf40f1da4

SHA512
d67675fcbc4d6e166f690ad09938bd7a3213ce2fca6cb31aec30fc0eef64e869073ccdf3d1ce6e9185657f246e19310451c5c6ec3ce2e13504aaa53f057c5490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e716669430ace1b705a4e953f679a2c

SHA1
fc3b14ff844fcfecf067cd4804ce4c29812cac56

SHA256
c07bb3906bb56acbacf9c14487baaa924c1bd49981c8368527c8aaceff3bd547

SHA512
3b99c99be4986ee90c168832596aa47f0c66753945b162e1d7002e43bf42999e5aac7335b71cf949e8e3a1c56d522c1780385838ab7e8e813d20091bbe420299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
496B

MD5
7e33ae29625c74bbf59eb4e06e60b123

SHA1
81a545af40f4a327484c8eeb4cb471e3b58f76a9

SHA256
eaddb197d2941c82cfb5ff003461e7bd59ac54c2b20b8e02b64f0b40a3da1ca1

SHA512
aef90186646ca7071417316a752e96366004e467450f811a348e1d4cb0f295ac065419dbf116e02ddfe33a34ed31b06cb45175472c983bb5de8d04db14e41ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0eLotxrMea.bat

Filesize
158B

MD5
4ebd9055815329dc9113b769a80ebc61

SHA1
8579bd787090fa5981b6b2a3e02373932af05d23

SHA256
0e8053fcaa9a94edf6b66a156220fa8285932193cac51b42a3bcdb059767ee90

SHA512
096583f6c9fbdbbb30021b6bf4444b0aaa2e0f15bfb8b95a4d85485c975858a33f2e3f568358b07f6c2271a0071c8282677b41c16f6ef2f4c8f9b23974667357

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD438.tmp

Filesize
1KB

MD5
c2ed1f29fe352dbe08fd21f3b5544be5

SHA1
bded28b16f91f8f7d6891783300fd290c6c3b3b6

SHA256
fb1ab10103cf8d82453a3527197267b95c206cc4f775f45c712aacb914e89e0b

SHA512
c7ceb2419538e6174a3c326ed3848287cdf84007ff1af9c9a1ef162ed2f9ad7f9c8372c2fa1659908071f36a21f0b693a99892065b2c788ee0fe0ff90609f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rtoym3i.c3r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aav.scr

Filesize
2.0MB

MD5
3f615eba9ea40402e7ac7cbd2ce3b45f

SHA1
8fc64bd0c5a9408989d0d836b775e527d04db550

SHA256
19f1679c01473e04c6460fe95801874443a0f2ccb06f7d1b0907a99fb0fa8482

SHA512
be4fe935912e7ff3fcab126353935e6a4f813ac05a9f213d8ab42313b6bcf0770e3563e5e4035046bdf92cae01368907a055af4cad3ce7d11adcec74e057bd5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbx.scr

Filesize
2.5MB

MD5
d5ac30c01a54e7fae75152785d58b9b3

SHA1
1649f5c03f7192ac4fe12acff10bf20c7db3d888

SHA256
5f1afaf179c67b627c2e3490802970555be673d7dd25a1127525bd6797170ebf

SHA512
1a757bb721ab925c7b3ca54c8c0c2d07d4aeafc734d75c72ec4f1212e0f01f18695f1359f5d5b9c2612c6ec776257a4ded540f67874e418929c628e2fee92311

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoch.scr

Filesize
137KB

MD5
94bc952819cc970bb61cdc2563dc132a

SHA1
7da065ddc68c4f22d19d680276379e2b5a53525f

SHA256
17a04e0c979c03823661de3bee9f38a90600fdab97965ce03dd097b2867ab0b2

SHA512
9a55da6f0109fea18ce00e53cdf32be404a76ab5bf6cad0f9aa396583156918ba6bcec3ce69c6981a06ad7598ff232dd636a7eb0c92f513c0643e9480f7d972a

Download Submit
C:\Users\Admin\AppData\Roaming\ContainerSvc\JQVMe0q2KkCJwRINY0yWHphGmCQw.bat

Filesize
150B

MD5
bada63c9bc9346ed5bb9de33c533ff7f

SHA1
0cb6457cf9d18a13ca6611aa14e7ce971fb21112

SHA256
5346e020230dca1cfef05e421999aea4891c0726509d4fa303a5adcd04323822

SHA512
1021db4b8a393bd6bf0f4c5f0934899b79c007db974ada3fe060bafecaae5b4e09690e25c54d144c7799323f710b1eb792d4138b44e3dacab01ae47ded4f3ed8

Download Submit
C:\Users\Admin\AppData\Roaming\ContainerSvc\ZiOdZcQwKJ8RQo6XUUcZMF0HmG7dX8mZOGDPaR5TSJjBqPvcu2Q.vbe

Filesize
225B

MD5
d926f0a7c151b335198c064207a8242f

SHA1
cf9ed3e960c3689771ffab0837ca13b0adf2e5a7

SHA256
2b0c2e04e998d7ee4bb2cc434524550036331714cec35abaf513aaa70549d5bb

SHA512
5034e07e4c3aed63e838fb6cd7ffe2e7ff2e7aa097f9473561736e2797f6eb68704bd3dc9e7fefd77e7efd868bdf746aec692afd78f3a9c1e31c214083ec3ba7

Download Submit
C:\Users\Admin\AppData\Roaming\ContainerSvc\driverBrokerhost.exe

Filesize
1.7MB

MD5
481807e26ee3de2cb7cfe48509033f66

SHA1
4ffa528d2bad21a44eb025ed902b5ea5bc391539

SHA256
dab5f9cfa8ea001008a7ded8660ecbcb17387ec27d966b8822bec34c8fb56c36

SHA512
f1a57589efb420e8efc1d0d758d510ff08349b2f91f89b30e329c29072c4eb4f1c5d734b63b0ac7029d74be4cf26965207ece14e3f47f8e43003ab767b0cce63

Download Submit
C:\Windows\TEMP\rtwbnuphusju.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vo1rnxae\vo1rnxae.0.cs

Filesize
362B

MD5
589d3a6d47b1c090265da2c1cb9cf45a

SHA1
a5a7aad5504cfb79222c707ec81050dc47387abd

SHA256
cb0ed1cf3aff703944096b1f5205a3bb6d2754ae649b0994e25f1e6cda0448b4

SHA512
1a8f94a47dc1daa5f0c72753e6a65b65d96874c90c820964540bbbcce6b007b50696b1d42a7ea23ee8515a80ad7a3cc86d29839d3d45fa9a03e67cb476c23221

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vo1rnxae\vo1rnxae.cmdline

Filesize
235B

MD5
75a4e4f9585e56cb19f17b178d658b2c

SHA1
11c556dfcf1826ea0f5fc0d56bfcdc0e3fabdc8b

SHA256
9bdf042f9db31608f3d3621f92d339f96ea0f423527a5466a3dcaf26ca099ea5

SHA512
e641530774b1a530d16f9d8a0fbb1673ab720f6f253a8a912957aacff8382e4cc57a76087fc28e937788413a8fcaad095c6f6c2aba2229cb068c97f010c9a282

Download Submit
\??\c:\Windows\System32\CSCC451B391125441FA8AB4FF3B147D48F5.TMP

Filesize
1KB

MD5
5312a26d06282ef9ae358ed7609d9bb5

SHA1
0ba9ce38a2b4bf3de2b3d6f589488caf95e24b55

SHA256
c50e76bfb6328f826406d6ee365f7eb2936eb2be622d2dd08b144e1fce606246

SHA512
4d3724e6bca4ff31c21d321567f684856ea35133a23de706b1c7f62d40642509d871fc3745739e798b003f832fa7bdc3de11f03da6c88e3507def0fd0047e525

Download Submit
memory/244-791-0x0000000000770000-0x0000000000926000-memory.dmp

Filesize
1.7MB

Download
memory/244-793-0x000000001B490000-0x000000001B49E000-memory.dmp

Filesize
56KB

Download
memory/244-795-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

Filesize
56KB

Download
memory/244-797-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/1236-767-0x000000006F6A0000-0x000000006F6EC000-memory.dmp

Filesize
304KB

Download
memory/2436-761-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/2436-783-0x0000000007760000-0x0000000007768000-memory.dmp

Filesize
32KB

Download
memory/2436-782-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/2436-781-0x0000000007670000-0x0000000007685000-memory.dmp

Filesize
84KB

Download
memory/2436-780-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/2436-779-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/2436-758-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/2436-756-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2436-755-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/2436-754-0x00000000070E0000-0x0000000007184000-memory.dmp

Filesize
656KB

Download
memory/2436-753-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/2436-743-0x0000000006690000-0x00000000066C4000-memory.dmp

Filesize
208KB

Download
memory/2436-744-0x000000006F6A0000-0x000000006F6EC000-memory.dmp

Filesize
304KB

Download
memory/2436-733-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/2436-732-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/2436-731-0x0000000005C30000-0x0000000005F87000-memory.dmp

Filesize
3.3MB

Download
memory/2436-722-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/2436-721-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/2436-720-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/2436-719-0x00000000053A0000-0x00000000059CA000-memory.dmp

Filesize
6.2MB

Download
memory/2436-718-0x0000000004C20000-0x0000000004C56000-memory.dmp

Filesize
216KB

Download
memory/3092-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3092-2-0x00000000058F0000-0x00000000058F6000-memory.dmp

Filesize
24KB

Download
memory/3092-51-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-47-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-53-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-695-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3092-694-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3092-692-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3092-7-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-9-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-55-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-11-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-13-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-15-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-57-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-17-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-19-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-37-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-23-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-25-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-29-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-33-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-1-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/3092-49-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-21-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-39-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-41-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-43-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-45-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-61-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-63-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-65-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-206-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3092-96-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3092-67-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-6-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-27-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-31-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-35-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-59-0x0000000007EC0000-0x0000000007F19000-memory.dmp

Filesize
356KB

Download
memory/3092-5-0x0000000007EC0000-0x0000000007F1E000-memory.dmp

Filesize
376KB

Download
memory/3092-4-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3092-3-0x0000000007CF0000-0x0000000007D50000-memory.dmp

Filesize
384KB

Download
memory/3156-704-0x0000020407660000-0x0000020407688000-memory.dmp

Filesize
160KB

Download
memory/5896-833-0x00000130D8750000-0x00000130D8772000-memory.dmp

Filesize
136KB

Download