dcrat | 1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Size

829KB
MD5

c1f1bea182f1c3477c2f133c3ac26930
SHA1

2145c09d2c3279ac83e844c4d80e7aa219e99b8d
SHA256

1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5
SHA512

6af6336782b29bdab906e4d289cb5c2c8500ba8a20dee53def21960e62afc28ec6756b746b4e4036a30726984a60b656b3d529b4abc119953267e91be4992a4d
SSDEEP

12288:P6TnOzi5kaag8hpT77JJMA+XSpW3Ari4VVyZC0+1cw2jINof7+vEnkdsOZ6:P6TnYa+T7dJMA+i3iE0nHfW6

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\", \"C:\\Users\\All Users\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\", \"C:\\Program Files\\Windows Journal\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\", \"C:\\Users\\All Users\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\", \"C:\\Program Files\\Windows Journal\\OSPPSVC.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\", \"C:\\Users\\All Users\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2916	schtasks.exe	30

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1756-1-0x0000000000E10000-0x0000000000EE6000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0005000000019d44-26.dat	family_dcrat_v2
behavioral1/memory/888-83-0x0000000000350000-0x0000000000426000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1292	powershell.exe
2092	powershell.exe
2072	powershell.exe
316	powershell.exe
2124	powershell.exe
2412	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
888	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Journal\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Windows Journal\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Uninstall Information\\WmiPrvSE.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\Users\\All Users\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\Users\\All Users\\Package Cache\\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\OSPPSVC.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe\""	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe
File created	\??\c:\Windows\System32\CSC38E22CDC94EE462BB617F53E78EA24B1.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
File created	C:\Program Files\Windows Journal\OSPPSVC.exe	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
File opened for modification	C:\Program Files\Windows Journal\OSPPSVC.exe	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
File created	C:\Program Files\Windows Journal\1610b97d3ab4a7	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	OSPPSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	OSPPSVC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
960	schtasks.exe
2392	schtasks.exe
2908	schtasks.exe
2824	schtasks.exe
3068	schtasks.exe
2496	schtasks.exe
1400	schtasks.exe
2064	schtasks.exe
2764	schtasks.exe
2000	schtasks.exe
1032	schtasks.exe
2808	schtasks.exe
592	schtasks.exe
1100	schtasks.exe
2536	schtasks.exe
2968	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	888	OSPPSVC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2176	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	34
PID 1756 wrote to memory of 2176	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	34
PID 1756 wrote to memory of 2176	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	34
PID 2176 wrote to memory of 2624	2176	csc.exe	36
PID 2176 wrote to memory of 2624	2176	csc.exe	36
PID 2176 wrote to memory of 2624	2176	csc.exe	36
PID 1756 wrote to memory of 2124	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	52
PID 1756 wrote to memory of 2124	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	52
PID 1756 wrote to memory of 2124	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	52
PID 1756 wrote to memory of 316	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	53
PID 1756 wrote to memory of 316	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	53
PID 1756 wrote to memory of 316	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	53
PID 1756 wrote to memory of 2072	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	54
PID 1756 wrote to memory of 2072	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	54
PID 1756 wrote to memory of 2072	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	54
PID 1756 wrote to memory of 2092	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	56
PID 1756 wrote to memory of 2092	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	56
PID 1756 wrote to memory of 2092	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	56
PID 1756 wrote to memory of 1292	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	57
PID 1756 wrote to memory of 1292	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	57
PID 1756 wrote to memory of 1292	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	57
PID 1756 wrote to memory of 2412	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	58
PID 1756 wrote to memory of 2412	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	58
PID 1756 wrote to memory of 2412	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	58
PID 1756 wrote to memory of 2320	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	64
PID 1756 wrote to memory of 2320	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	64
PID 1756 wrote to memory of 2320	1756	1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe	64
PID 2320 wrote to memory of 2068	2320	cmd.exe	66
PID 2320 wrote to memory of 2068	2320	cmd.exe	66
PID 2320 wrote to memory of 2068	2320	cmd.exe	66
PID 2320 wrote to memory of 2328	2320	cmd.exe	67
PID 2320 wrote to memory of 2328	2320	cmd.exe	67
PID 2320 wrote to memory of 2328	2320	cmd.exe	67
PID 2320 wrote to memory of 888	2320	cmd.exe	68
PID 2320 wrote to memory of 888	2320	cmd.exe	68
PID 2320 wrote to memory of 888	2320	cmd.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe
"C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qr0hv0n3\qr0hv0n3.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE68.tmp" "c:\Windows\System32\CSC38E22CDC94EE462BB617F53E78EA24B1.TMP"
    3⤵
    PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BqTVbcFHTW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2328
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb51" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe

Filesize
829KB

MD5
c1f1bea182f1c3477c2f133c3ac26930

SHA1
2145c09d2c3279ac83e844c4d80e7aa219e99b8d

SHA256
1054af5e9206aa0cb650a4e58900bcd369a554e64eaa89f56cb35cd105386eb5

SHA512
6af6336782b29bdab906e4d289cb5c2c8500ba8a20dee53def21960e62afc28ec6756b746b4e4036a30726984a60b656b3d529b4abc119953267e91be4992a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqTVbcFHTW.bat

Filesize
236B

MD5
a3c92f7636c3f913b5f94da1186eb3a3

SHA1
74bf974a6a28521fde64b33933b28032cefd7682

SHA256
67c99b214a74051eaf61072942827d2101b001040445711f998eae39c3794793

SHA512
10dd8577be3a111b49619eb25a2118ad2a4f0020cb58a66f7273f43806ca3dc1c75358396c9fce5253350d8159c8a0e6e9ccd9df121d9e367d1d7b9f354e4933

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE68.tmp

Filesize
1KB

MD5
7f3386c57df65631ebde9e814195045c

SHA1
a59edb714368c0aab89601efe5f05b549577efd0

SHA256
ed5be140642adf6c85373f67560d7599f6261abbc6317530e7ca944aa9e0a698

SHA512
0e15b8d5c4ed21e5018a55417d2082ab69a396ef19baeb503173506f6d9fc7172ac3466412dc8a20f8ec9e71ab184ad883921a0fbde89286b71996e5d3b240cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f0efd6084baa407a86f542d10d5f8d79

SHA1
cc5ac0549f8e8c1cd7b1895146829a52b9b93b62

SHA256
ae7be6ef8cff5dd15d49597a2c224ed5430052dca2b75aa048d6614fc5da45bf

SHA512
41f0ace6228a13cd1f9f6833fb61e15a8c191d5d13a554ec40a7714964d6cc291cbf84ba9332805644ada4a8fed189e93dd2e49bb9c88eb95dc245577eacc588

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qr0hv0n3\qr0hv0n3.0.cs

Filesize
392B

MD5
a8ce9bbb08fe64f2bd342701cf764808

SHA1
148de6507e1435b6d4735285859ccd395d15fc47

SHA256
c713c08a0b96323f8163ac700b7dec697fb84f7ae1cfa45550ed41fb8840a4fd

SHA512
972eabf86eaa2c8218f77e8f87a657d016f4dd52a864f14d3f0f29fad4b722d66cf2fbdeeec1605b43603428ab1ac29c65da13e24c8b94e20b4426bbd32ae2f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qr0hv0n3\qr0hv0n3.cmdline

Filesize
235B

MD5
2f872bcd2398d08079afc52c8cde45fe

SHA1
5983cf58ec20bb750154ce2a26bca8926552433f

SHA256
f62ebb8ff4346ec75ba411d3cb1f2f9565f24b9635716bb5382229cea8e5ba2c

SHA512
ec981acc3b968d6373c1195475077f156891076d73f99e378b15086c1931490f1ceb08189528eacf84be1676f59cc706054c490a568036ff2484757ca6bf41be

Download Submit
\??\c:\Windows\System32\CSC38E22CDC94EE462BB617F53E78EA24B1.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/888-83-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/1756-9-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/1756-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

Filesize
4KB

Download
memory/1756-16-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-13-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1756-28-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-29-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-30-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-31-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-11-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1756-15-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1756-7-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-6-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1756-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1756-63-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-1-0x0000000000E10000-0x0000000000EE6000-memory.dmp

Filesize
856KB

Download
memory/1756-2-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-64-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2124-62-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download