dcrat | d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Size

1.8MB
MD5

0f6832bc8381b05096f8ffac1272e400
SHA1

be7722fb36f12432f6da2e051d1f96761e97fcf4
SHA256

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5
SHA512

7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548
SSDEEP

24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbg:W6hdR3KlyFLlbsrs6PbTJU24Gb

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2692	schtasks.exe

Executes dropped EXE 11 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid process

848 smss.exe
1980 smss.exe
2232 smss.exe
380 smss.exe
2940 smss.exe
2440 smss.exe
2024 smss.exe
776 smss.exe
2224 smss.exe
1980 smss.exe
3056 smss.exe

pid	process
848	smss.exe
1980	smss.exe
2232	smss.exe
380	smss.exe
2940	smss.exe
2440	smss.exe
2024	smss.exe
776	smss.exe
2224	smss.exe
1980	smss.exe
3056	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\audiodg.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\DigitalLocker\\ja-JP\\services.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC8A3E937CE0FB476F88EBF0158DE5633B.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\lsass.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Drops file in Windows directory 2 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
File created	C:\Windows\DigitalLocker\ja-JP\services.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Windows\DigitalLocker\ja-JP\c5b4cb5e9653cc	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3044 PING.EXE
1532 PING.EXE
1660 PING.EXE
1696 PING.EXE
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3044 PING.EXE
1532 PING.EXE
1660 PING.EXE
1696 PING.EXE

pid	process
3044	PING.EXE
1532	PING.EXE
1660	PING.EXE
1696	PING.EXE

pid	process
3044	PING.EXE
1532	PING.EXE
1660	PING.EXE
1696	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2084	schtasks.exe
2904	schtasks.exe
2620	schtasks.exe
2880	schtasks.exe
1684	schtasks.exe
2852	schtasks.exe
2720	schtasks.exe
1952	schtasks.exe
2792	schtasks.exe
2024	schtasks.exe
2760	schtasks.exe
2124	schtasks.exe
2440	schtasks.exe
1612	schtasks.exe
2900	schtasks.exe
2556	schtasks.exe
2624	schtasks.exe
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

pid	process
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Token: SeDebugPrivilege	848	smss.exe
Token: SeDebugPrivilege	1980	smss.exe
Token: SeDebugPrivilege	2232	smss.exe
Token: SeDebugPrivilege	380	smss.exe
Token: SeDebugPrivilege	2940	smss.exe
Token: SeDebugPrivilege	2440	smss.exe
Token: SeDebugPrivilege	2024	smss.exe
Token: SeDebugPrivilege	776	smss.exe
Token: SeDebugPrivilege	2224	smss.exe
Token: SeDebugPrivilege	1980	smss.exe
Token: SeDebugPrivilege	3056	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.execsc.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exe

description	pid	process	target process
PID 2996 wrote to memory of 2596	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	csc.exe
PID 2996 wrote to memory of 2596	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	csc.exe
PID 2996 wrote to memory of 2596	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	csc.exe
PID 2596 wrote to memory of 2940	2596	csc.exe	cvtres.exe
PID 2596 wrote to memory of 2940	2596	csc.exe	cvtres.exe
PID 2596 wrote to memory of 2940	2596	csc.exe	cvtres.exe
PID 2996 wrote to memory of 2908	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	cmd.exe
PID 2996 wrote to memory of 2908	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	cmd.exe
PID 2996 wrote to memory of 2908	2996	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	cmd.exe
PID 2908 wrote to memory of 1312	2908	cmd.exe	chcp.com
PID 2908 wrote to memory of 1312	2908	cmd.exe	chcp.com
PID 2908 wrote to memory of 1312	2908	cmd.exe	chcp.com
PID 2908 wrote to memory of 2108	2908	cmd.exe	w32tm.exe
PID 2908 wrote to memory of 2108	2908	cmd.exe	w32tm.exe
PID 2908 wrote to memory of 2108	2908	cmd.exe	w32tm.exe
PID 2908 wrote to memory of 848	2908	cmd.exe	smss.exe
PID 2908 wrote to memory of 848	2908	cmd.exe	smss.exe
PID 2908 wrote to memory of 848	2908	cmd.exe	smss.exe
PID 848 wrote to memory of 952	848	smss.exe	cmd.exe
PID 848 wrote to memory of 952	848	smss.exe	cmd.exe
PID 848 wrote to memory of 952	848	smss.exe	cmd.exe
PID 952 wrote to memory of 940	952	cmd.exe	chcp.com
PID 952 wrote to memory of 940	952	cmd.exe	chcp.com
PID 952 wrote to memory of 940	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1660	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1660	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1660	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1980	952	cmd.exe	smss.exe
PID 952 wrote to memory of 1980	952	cmd.exe	smss.exe
PID 952 wrote to memory of 1980	952	cmd.exe	smss.exe
PID 1980 wrote to memory of 3052	1980	smss.exe	cmd.exe
PID 1980 wrote to memory of 3052	1980	smss.exe	cmd.exe
PID 1980 wrote to memory of 3052	1980	smss.exe	cmd.exe
PID 3052 wrote to memory of 1256	3052	cmd.exe	chcp.com
PID 3052 wrote to memory of 1256	3052	cmd.exe	chcp.com
PID 3052 wrote to memory of 1256	3052	cmd.exe	chcp.com
PID 3052 wrote to memory of 1696	3052	cmd.exe	PING.EXE
PID 3052 wrote to memory of 1696	3052	cmd.exe	PING.EXE
PID 3052 wrote to memory of 1696	3052	cmd.exe	PING.EXE
PID 3052 wrote to memory of 2232	3052	cmd.exe	smss.exe
PID 3052 wrote to memory of 2232	3052	cmd.exe	smss.exe
PID 3052 wrote to memory of 2232	3052	cmd.exe	smss.exe
PID 2232 wrote to memory of 1528	2232	smss.exe	cmd.exe
PID 2232 wrote to memory of 1528	2232	smss.exe	cmd.exe
PID 2232 wrote to memory of 1528	2232	smss.exe	cmd.exe
PID 1528 wrote to memory of 484	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 484	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 484	1528	cmd.exe	chcp.com
PID 1528 wrote to memory of 2460	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 2460	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 2460	1528	cmd.exe	w32tm.exe
PID 1528 wrote to memory of 380	1528	cmd.exe	smss.exe
PID 1528 wrote to memory of 380	1528	cmd.exe	smss.exe
PID 1528 wrote to memory of 380	1528	cmd.exe	smss.exe
PID 380 wrote to memory of 2852	380	smss.exe	cmd.exe
PID 380 wrote to memory of 2852	380	smss.exe	cmd.exe
PID 380 wrote to memory of 2852	380	smss.exe	cmd.exe
PID 2852 wrote to memory of 3008	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 3008	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 3008	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 2772	2852	cmd.exe	w32tm.exe
PID 2852 wrote to memory of 2772	2852	cmd.exe	w32tm.exe
PID 2852 wrote to memory of 2772	2852	cmd.exe	w32tm.exe
PID 2852 wrote to memory of 2940	2852	cmd.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
"C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i3tjge2e\i3tjge2e.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE1D.tmp" "c:\Windows\System32\CSC8A3E937CE0FB476F88EBF0158DE5633B.TMP"
    3⤵
    PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iUpuL3uIcT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1312
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2108
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1iyfU6Kdf1.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:940
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2460
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G1mQn2m5Eg.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2772
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RGyWY8ttHj.bat"
        12⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1564
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        14⤵
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1840
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat"
        16⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2924
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat"
        18⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2348
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aw9hvKlXqO.bat"
        20⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat"
        22⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5Nd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5Nd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\lsass.exe

Filesize
1.8MB

MD5
0f6832bc8381b05096f8ffac1272e400

SHA1
be7722fb36f12432f6da2e051d1f96761e97fcf4

SHA256
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5

SHA512
7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548

Download Submit
C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat

Filesize
185B

MD5
fc858da6827c4c0a5b85eb9ad622c796

SHA1
ee6e3a035ae47291fe6035297d9e46be1d30e29d

SHA256
5814ffa7b750e00e94a25a717c0980abd65504d227be67fe53c7b34cbb61f657

SHA512
427b220ca7c5883af1cce656b1188ace0832e7fd1b2050a4d31bee62ff10ffb50270df13da620e4ec604cc3a49124b1cbb033b903ccdb54f092fee245db3a410

Download Submit
C:\Users\Admin\AppData\Local\Temp\1iyfU6Kdf1.bat

Filesize
185B

MD5
cd755b5e87b36c69447222f1f8ad17a0

SHA1
1e2bed207c8904ee32f7790de7b224799c1f84aa

SHA256
7735e2deea9415545d5010e3b4292502a26a4c83057f1c62913f44db51004402

SHA512
94d0f3503abd6925c07834dab67ed7b165b2efec3f5c11db707ec0f5b5e29da41d1235a64235e85338062ddf17325a43f3441fc67c941030cfe8ba55056c67e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EROGQHdFU4.bat

Filesize
233B

MD5
5828bf956e89fa4bda8cded88758d08a

SHA1
bbdaa59504158d282d4d29dbdbf7d439005a8485

SHA256
51d82ebd34255cf1d8ee3bc63f2f6d9ef5ea8e6daa865a5bc7809c7c15b084c8

SHA512
daf7347d0e63cd0b4841f9d0ffdc16eab26530cd27d9361c96b0d5e91289a4c572f6369fe0eca4dd3bafa9716684bf99796ade01d7267a404e95a78e39299cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1mQn2m5Eg.bat

Filesize
233B

MD5
703e308e479cfa07dd8378e872e70dbf

SHA1
6b3888513cfde8b3add11ffa1af10dd8f7d39f00

SHA256
0d8cf414d379024c21b15130c8dd6c385f691852597c983d37da718b003b3b85

SHA512
e68000998870a75b4c12f6aa9a598d050233a400b8e9c7175ceb5c70d697917da6998217515f304ad8507843e6ab0936274251032d26460d65b3656035305d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

Filesize
233B

MD5
680e479405ade6314e716fe458405942

SHA1
069c5017947c40c04186781da7af7fe5840e31a8

SHA256
249b5931a090f5f04727b7d542652efc62df25bd5bdf7295654a235bea62ec3f

SHA512
f5fc9abdcf9c57b45e81a792fee2b6ef1f8f2c85ffdbf20f6b5265f89b983a17154b225dfbbf560934a66dab5f4b1e1cbf20862709c1c45be3414f5193a45027

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFE1D.tmp

Filesize
1KB

MD5
6802c60e0f5a25728a7373f3137dc2d9

SHA1
49c051877092dc78bc51b199f6430f6d39261395

SHA256
c86c4bfa21e32879e289042d72ba5ef14f0c0d2bd7c5624d3974a1768097df1b

SHA512
b8b89d14acdb087a0bb8555cc2dc06a6dc189777d101496efd93405b144f23fb7a517db654e214a187f52c381e96df6f1a82d355e2d7b436cf7e66fb486ce679

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGyWY8ttHj.bat

Filesize
233B

MD5
b78c2e083d9701c1a2b93c369f6f8c38

SHA1
2559fe1f83a1dcc4386962fe1d1f1f60cb5aeccc

SHA256
137d306f5c7d61ce61d20e20108c331a8fa050bc386076648364fee2cf8c6cbd

SHA512
d76e1f2fe100a65786d739cb7a5e1f94f3f51cb30b81056c78791d1999781979a037ed684e6e05fccb230b18aa4abbf5441ea4f205bccbeefff4132b9fd28940

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7vO5ocqvr.bat

Filesize
233B

MD5
fb5d9218aad9e57638ea433762bd85f3

SHA1
34b3b76dce140cc8cef50ffc4de2cf1d6e1ee88d

SHA256
8dd843dec83dab522b8643ac78406df491e9dd5ef44f51514e93f5b7c4119160

SHA512
1ef92a0b7cf07d4ca104f48b0869448f55bacb9252dd9071fbaf438e5d986fff95aea3e9d17c57ceb096083cc154c756c67a4ece24ab61e6b3788ecd8cea86f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8EFjwB7Jj.bat

Filesize
233B

MD5
cdfdf7ba9558e8137f07984382a30298

SHA1
015ca845b5992b9ada8968d0af9e202dec9e75ed

SHA256
fcc8bf02077e40c4684e9a6312042f0bfae758a170936ff3a55419d5ff0f5585

SHA512
7b197f7a16b2c9f4ff5bae13bca483aad30bbe63debf7409494b4e1142de793efb2a51855992a63ac073d5065fb4e0b9f82957b12ff91368a3820b38cfc49149

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw9hvKlXqO.bat

Filesize
185B

MD5
47ab899564c0b824cfee378d9d1e0b31

SHA1
0166cde8124d0f6ea9da20989ecf052388215dec

SHA256
ee2e01182f8b718ab7a917fb8ec935d644d36a4f134f92f8137c7cda8a477180

SHA512
421755cfd66410f96eed9308cfa57afb015f233f29021d1b35a30957a3b88b2f1b2ad524bfc1d70d6a7f6d30ebc4c624cab03dfe2da39dfbe3da13bc85c6f20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat

Filesize
185B

MD5
be627e94dafd79b1fd5bf4412c052ddc

SHA1
64bd35ad8f01441be0e6f5441b831ff7e63428a9

SHA256
1f9e0d2588a526db7feb6c6afde7b5b2dba956928525bc6abf636f1fbd907a01

SHA512
d08bf146255a1a9ed5099fc2b778163e696ac9d6384deb611b54b92f60c5662cd5233c0b5e7aaabd53b4212410ab3fd3fdc43e57bccae6303a35450004a2ad10

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUpuL3uIcT.bat

Filesize
233B

MD5
b93dc34839537193463e21fbbbfefb20

SHA1
053454cb31ef56cd9971d50f3441d5710723b226

SHA256
bf24a8c6d4472e83ef97cf0c2eee22c3c0515bdfaa70491a32d97f5402ce812b

SHA512
e94a6092939b6dc1d465740513731e2f63903cd0bc36a469fd7af79817590f0cc41d89065efb6ce0b05602830d7d950adc25c3d4db979b28c55e2a8d3ac5b91e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i3tjge2e\i3tjge2e.0.cs

Filesize
383B

MD5
1c02e30fcc50fafe1a85ca2c3513ae65

SHA1
580154db112d0b7e8d6d6fdaec6e0e85bab9d016

SHA256
cdb8cf739cc8a0b33e67d1dac7cb943f0a729a8211604d5e02d11f3994f0d618

SHA512
94951a5fb2b97abe41dc91e3069f70b1982dcdf697e649d73dc2a50f437d53d5930f19614ee8f44d8df91301aa612783129f423a0ee61fe47c8fd9ab10de85ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i3tjge2e\i3tjge2e.cmdline

Filesize
235B

MD5
96d71a75a67e787a914190416270f523

SHA1
17fa1c10f43032ce7263b89e241436cc7058c9a2

SHA256
092bf5e022fe1bf371f55a08ff501d63f94e26a891551195eaf409ec76b4e089

SHA512
8a9ac51ce740cd948ec1c4fedc7f3282e022fafa805453b937822dbcea8106bdb4989449913656bec7e8843c21cedb8ac54390e4536f6a97e857e17e72586b13

Download Submit
\??\c:\Windows\System32\CSC8A3E937CE0FB476F88EBF0158DE5633B.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/380-82-0x0000000000E80000-0x000000000105A000-memory.dmp

Filesize
1.9MB

Download
memory/848-49-0x0000000000DD0000-0x0000000000FAA000-memory.dmp

Filesize
1.9MB

Download
memory/1980-60-0x0000000000100000-0x00000000002DA000-memory.dmp

Filesize
1.9MB

Download
memory/2224-134-0x00000000010C0000-0x000000000129A000-memory.dmp

Filesize
1.9MB

Download
memory/2232-71-0x00000000002D0000-0x00000000004AA000-memory.dmp

Filesize
1.9MB

Download
memory/2940-93-0x0000000000F60000-0x000000000113A000-memory.dmp

Filesize
1.9MB

Download
memory/2996-13-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2996-9-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-15-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-14-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-0-0x000007FEF6573000-0x000007FEF6574000-memory.dmp

Filesize
4KB

Download
memory/2996-18-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-46-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-11-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/2996-8-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2996-6-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2996-4-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-17-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-3-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-2-0x000007FEF6570000-0x000007FEF6F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1-0x0000000000CF0000-0x0000000000ECA000-memory.dmp

Filesize
1.9MB

Download
memory/3056-156-0x0000000000170000-0x000000000034A000-memory.dmp

Filesize
1.9MB

Download