dcrat | 2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

235215E48C6B826E256D5918CBB1B0DA.exe
Size

7.2MB
MD5

235215e48c6b826e256d5918cbb1b0da
SHA1

7045d2e4da8d6102e3e199af4b848cac4ca934e1
SHA256

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91
SHA512

feb1b3315da05d4466be68c6bb70dfdeaeaf8cb92ced1023db84c0d66a1b40e7f0fa9bad2d9e421b580887e1134dc7e30a25d5f9dc48f4e0cb780ebd93899df4
SSDEEP

196608:FPU+TdWWQbrlUIxOthZr2GbxuvzN5wWYNRdRT:JU+T4LbrlbxOFr2GFuv7+NRL

Score

10^/10

dcrat xmrig defense_evasion discovery execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\fr-FR\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\fr-FR\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\services.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\fr-FR\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\services.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\", \"C:\\Windows\\fr-FR\\csrss.exe\""	WIndowsDefendirCore.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	268	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	268	schtasks.exe	90

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1280-52-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-51-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-54-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-58-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-57-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-56-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-55-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-59-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1280-60-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2828	powershell.exe
2004	powershell.exe
2820	powershell.exe
2616	powershell.exe
2668	powershell.exe
292	powershell.exe
2352	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2768	New.exe
2700	build.exe
476	Process not Found
2844	bjqgtalbkeyq.exe
2292	WIndowsDefendirCore.exe
296	conhost.exe

Loads dropped DLL 6 IoCs

pid	Process
2656	235215E48C6B826E256D5918CBB1B0DA.exe
2656	235215E48C6B826E256D5918CBB1B0DA.exe
2656	235215E48C6B826E256D5918CBB1B0DA.exe
476	Process not Found
2868	cmd.exe
2868	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\fr-FR\\csrss.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\fr-FR\\csrss.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\conhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\services.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\services.exe\""	WIndowsDefendirCore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1164	powercfg.exe
1652	powercfg.exe
584	powercfg.exe
1620	powercfg.exe
632	powercfg.exe
628	powercfg.exe
2132	powercfg.exe
1932	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bjqgtalbkeyq.exe
File created	\??\c:\Windows\System32\CSCA7E9BD59E9844A039817ABE33E84545.TMP	csc.exe
File created	\??\c:\Windows\System32\qmeprf.exe	csc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 set thread context of 1280	2844	bjqgtalbkeyq.exe	89

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1280-47-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-46-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-52-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-54-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-58-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-55-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-59-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1280-60-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\fr-FR\csrss.exe	WIndowsDefendirCore.exe
File created	C:\Windows\fr-FR\886983d96e3d3e	WIndowsDefendirCore.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1872	sc.exe
2588	sc.exe
1676	sc.exe
2008	sc.exe
2228	sc.exe
1532	sc.exe
2152	sc.exe
1568	sc.exe
2364	sc.exe
1108	sc.exe
1944	sc.exe
1900	sc.exe
2176	sc.exe
2928	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	235215E48C6B826E256D5918CBB1B0DA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1516	PING.EXE

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 503eb101d674db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1516	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2348	schtasks.exe
2392	schtasks.exe
680	schtasks.exe
2068	schtasks.exe
1372	schtasks.exe
1480	schtasks.exe
2676	schtasks.exe
2692	schtasks.exe
632	schtasks.exe
1676	schtasks.exe
2504	schtasks.exe
2612	schtasks.exe
3036	schtasks.exe
1860	schtasks.exe
3040	schtasks.exe
400	schtasks.exe
2804	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	build.exe
2668	powershell.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2700	build.exe
2844	bjqgtalbkeyq.exe
292	powershell.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
2844	bjqgtalbkeyq.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe
2292	WIndowsDefendirCore.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeShutdownPrivilege	584	powercfg.exe
Token: SeShutdownPrivilege	632	powercfg.exe
Token: SeShutdownPrivilege	628	powercfg.exe
Token: SeShutdownPrivilege	1620	powercfg.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	2132	powercfg.exe
Token: SeShutdownPrivilege	1932	powercfg.exe
Token: SeShutdownPrivilege	1164	powercfg.exe
Token: SeLockMemoryPrivilege	1280	explorer.exe
Token: SeDebugPrivilege	2292	WIndowsDefendirCore.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	296	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2768	2656	235215E48C6B826E256D5918CBB1B0DA.exe	30
PID 2656 wrote to memory of 2768	2656	235215E48C6B826E256D5918CBB1B0DA.exe	30
PID 2656 wrote to memory of 2768	2656	235215E48C6B826E256D5918CBB1B0DA.exe	30
PID 2656 wrote to memory of 2768	2656	235215E48C6B826E256D5918CBB1B0DA.exe	30
PID 2656 wrote to memory of 2700	2656	235215E48C6B826E256D5918CBB1B0DA.exe	31
PID 2656 wrote to memory of 2700	2656	235215E48C6B826E256D5918CBB1B0DA.exe	31
PID 2656 wrote to memory of 2700	2656	235215E48C6B826E256D5918CBB1B0DA.exe	31
PID 2656 wrote to memory of 2700	2656	235215E48C6B826E256D5918CBB1B0DA.exe	31
PID 2768 wrote to memory of 2856	2768	New.exe	32
PID 2768 wrote to memory of 2856	2768	New.exe	32
PID 2768 wrote to memory of 2856	2768	New.exe	32
PID 2768 wrote to memory of 2856	2768	New.exe	32
PID 680 wrote to memory of 2528	680	cmd.exe	40
PID 680 wrote to memory of 2528	680	cmd.exe	40
PID 680 wrote to memory of 2528	680	cmd.exe	40
PID 1508 wrote to memory of 2168	1508	cmd.exe	71
PID 1508 wrote to memory of 2168	1508	cmd.exe	71
PID 1508 wrote to memory of 2168	1508	cmd.exe	71
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1300	2844	bjqgtalbkeyq.exe	84
PID 2844 wrote to memory of 1280	2844	bjqgtalbkeyq.exe	89
PID 2844 wrote to memory of 1280	2844	bjqgtalbkeyq.exe	89
PID 2844 wrote to memory of 1280	2844	bjqgtalbkeyq.exe	89
PID 2844 wrote to memory of 1280	2844	bjqgtalbkeyq.exe	89
PID 2844 wrote to memory of 1280	2844	bjqgtalbkeyq.exe	89
PID 2856 wrote to memory of 2868	2856	WScript.exe	91
PID 2856 wrote to memory of 2868	2856	WScript.exe	91
PID 2856 wrote to memory of 2868	2856	WScript.exe	91
PID 2856 wrote to memory of 2868	2856	WScript.exe	91
PID 2868 wrote to memory of 2292	2868	cmd.exe	93
PID 2868 wrote to memory of 2292	2868	cmd.exe	93
PID 2868 wrote to memory of 2292	2868	cmd.exe	93
PID 2868 wrote to memory of 2292	2868	cmd.exe	93
PID 2292 wrote to memory of 2680	2292	WIndowsDefendirCore.exe	97
PID 2292 wrote to memory of 2680	2292	WIndowsDefendirCore.exe	97
PID 2292 wrote to memory of 2680	2292	WIndowsDefendirCore.exe	97
PID 2680 wrote to memory of 2784	2680	csc.exe	99
PID 2680 wrote to memory of 2784	2680	csc.exe	99
PID 2680 wrote to memory of 2784	2680	csc.exe	99
PID 2292 wrote to memory of 2352	2292	WIndowsDefendirCore.exe	115
PID 2292 wrote to memory of 2352	2292	WIndowsDefendirCore.exe	115
PID 2292 wrote to memory of 2352	2292	WIndowsDefendirCore.exe	115
PID 2292 wrote to memory of 2700	2292	WIndowsDefendirCore.exe	116
PID 2292 wrote to memory of 2700	2292	WIndowsDefendirCore.exe	116
PID 2292 wrote to memory of 2700	2292	WIndowsDefendirCore.exe	116
PID 2292 wrote to memory of 2828	2292	WIndowsDefendirCore.exe	117
PID 2292 wrote to memory of 2828	2292	WIndowsDefendirCore.exe	117
PID 2292 wrote to memory of 2828	2292	WIndowsDefendirCore.exe	117
PID 2292 wrote to memory of 2004	2292	WIndowsDefendirCore.exe	118
PID 2292 wrote to memory of 2004	2292	WIndowsDefendirCore.exe	118
PID 2292 wrote to memory of 2004	2292	WIndowsDefendirCore.exe	118
PID 2292 wrote to memory of 2820	2292	WIndowsDefendirCore.exe	120
PID 2292 wrote to memory of 2820	2292	WIndowsDefendirCore.exe	120
PID 2292 wrote to memory of 2820	2292	WIndowsDefendirCore.exe	120
PID 2292 wrote to memory of 2616	2292	WIndowsDefendirCore.exe	121
PID 2292 wrote to memory of 2616	2292	WIndowsDefendirCore.exe	121
PID 2292 wrote to memory of 2616	2292	WIndowsDefendirCore.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\235215E48C6B826E256D5918CBB1B0DA.exe
"C:\Users\Admin\AppData\Local\Temp\235215E48C6B826E256D5918CBB1B0DA.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\New.exe
  "C:\Users\Admin\AppData\Local\Temp\New.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe
        
        "C:\Users\Admin\AppData\Roaming\DirecctX/WIndowsDefendirCore.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d2qt1ach\d2qt1ach.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85C3.tmp" "c:\Windows\System32\CSCA7E9BD59E9844A039817ABE33E84545.TMP"
        7⤵
        
        PID:2784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RLm7N0ZAxq.bat"
        6⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2528
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1108
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2228
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1944
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ZNALQAQP" binpath= "C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:2152

C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2168
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2176
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2928
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1300
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES85C3.tmp

Filesize
1KB

MD5
6b878c978874cd3fc55370f20cf70478

SHA1
cffd77d6dbeb4f2b9857cb18cb166d227c441ae4

SHA256
b5ff32f6e95330eceecf6818a6758ebac88ab70804362996ec60850080f71a1c

SHA512
2a8a300ce3819dcdff53855962fc1d4c917097a70d0c3bfb22211b346c445f0f0af4358761e842e4deefb640480b5cdd62a3d04c8639237f8d214965c965965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLm7N0ZAxq.bat

Filesize
215B

MD5
029b63ffc3ffb451bd7dcfdc6838a17d

SHA1
cdde74742825a1c049e2d53e99274e7ba55258d6

SHA256
6ed25a5fb7f705328bb1ee5f3c0228911b5744913171fd81f6eae298ca7df319

SHA512
5141873fbbc625d91b9415a7a7acb007d732173e31c62d29dd7f7c3cf0f17a3048cf4d9e3f88beac3aeff50d86509282544d3430ae26c28baddac8a66536a7fb

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat

Filesize
83B

MD5
1352bcf0074f83167937d0b792c87422

SHA1
1fccfc8e6e58c157a108b419b059bf56a376218e

SHA256
a8e94b3d8f08f7363d67b3d878a13a3f6bcedb7bf2c30bd12013a1274cdd5eb8

SHA512
7e7e7685ded282f260399f4914d30d3f66fc16718e37ecfe7120211c416c1ec61c0a8f9c53219714bc243e10417955eca1d808fb650b749cdd30deb2b95c12a7

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe

Filesize
242B

MD5
1b498932bffb477f2d766265c95027c8

SHA1
e5e6782b8a085660a0fb18d0c22dd8badd143ca7

SHA256
7daf3de82393f499ae2c49ad5bf4e90ffa6202358719a2fb5d630483fa30faec

SHA512
319022a1ebfbd5343f309bbbc340ae8c1541074202f28406052426e72483a498417f92bd88c993fd13f48bc6ea9a8d8c16f93ac68e6c2ad33a24fec0b656a942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f4a965ea0bd8aa83b87605e8cc0b9a58

SHA1
3a16496f35c378cc52fa24071e8aa533ae56c272

SHA256
f4efb60f07d108678a942847ea6644ede258e0a86385aec6bcd319d78ebb88ec

SHA512
1bf9844f34f4eccc0dc74cd0d2d6c2eb339b1793f9c2a042d68f12bba5e47d3da432a84b182fa0c62f8962b02c708fc252fa56bee59d9162d131f8c1bed11db2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b7735d8bcbf8d23322355732c07632b

SHA1
5cd607fb68699b4bb25945c326f925c0fe9687d7

SHA256
4bb522b554de99d17c5084c4656b671107c01d2668c11527cc9ada92ff10fc68

SHA512
20ea67113f017af18cfe0ccad87213264a6ed6bad3a07bd3251beaa5b64cdace33cdd791a7374bffdf9bc5cace49bee2f6f363d4a5dd174856ded782838a609a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d2qt1ach\d2qt1ach.0.cs

Filesize
392B

MD5
05a20a46d6194f3d37e4c0b4ed06e2d2

SHA1
cd9e6d53fd23fb8cdab2e537c0c06defe0dec5ed

SHA256
04f331c2d15fe11ef38834dd999c3dd53a32b6bad8be739f743b4553006adbc1

SHA512
ce6ccdfd756b262ed0ad9c6a8219aeb0d3e3be2293c5c6d06319c5b1cc061832da9140e485f55e3849c3820e018659ad30d70c239e1d5009d7547f187ffda2e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d2qt1ach\d2qt1ach.cmdline

Filesize
235B

MD5
9b06b1a27fe451dbcac8671c6cd9461c

SHA1
283a8757a69511e8e018099f7795ea07838b7b19

SHA256
2e4e6d7a667e843e8f2b5fc0a32805873cfbe8bdba3bb328406b5caff1efdd2d

SHA512
74e7a6842f0bb952edf97c1ee55bb1578634d2c552efc2003992daed6658e9ccf3e263da219238fdb49e4030ea510fcd4de50a25620fff9c9c35a115ddf82ac8

Download Submit
\??\c:\Windows\System32\CSCA7E9BD59E9844A039817ABE33E84545.TMP

Filesize
1KB

MD5
167c870490dc33ec13a83ebb533b1bf6

SHA1
182378ebfa7c8372a988dee50a7dd6f8cda6a367

SHA256
3f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6

SHA512
1b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e

Download Submit
\Users\Admin\AppData\Local\Temp\New.exe

Filesize
2.2MB

MD5
f949e6359bde9144353763e9b2e2142f

SHA1
8a12f6962a7ba1e7cb14eb4bdd92c4d192126b0f

SHA256
224c639c421a65b7d21cc3783de7b337927065bae7c14de84cb25dcea2b79db8

SHA512
fad2e708d8b03f7f32e72bdbf7780c5ca4f39f19f17cdc6571a12bce4977fd5a4e718ec5f5961e444bf159ff5c39e44a5300e1ff1c15ad385348061f7c7cdb05

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
5.0MB

MD5
18d911bff318971dfcbc17779653d85b

SHA1
ce8f083dbb1bbf54f2e8f5cedbae08a39b840ced

SHA256
a762eb90202786607f19417fc0d199b0bf5de141a7f150eb607277bc8fe25d32

SHA512
49785c81667c748c6f4e062f239df9edef063ec89cde0bac7ba266ef96456d0ec480f990dc6e9fe2f590dc7250fc1465e7147cc469292b2cbb5576dee6214202

Download Submit
\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe

Filesize
1.9MB

MD5
254c53120741d9866651de36cd0be8da

SHA1
01025412a8dbf5d4b5a4f07a38158a6a5f0fe1b1

SHA256
f17e8166f08cfc46e520826cc833c6c6fed0557677d59078f7368900f8908626

SHA512
34ebe9833f0adff42fa96e2240165e489984c4be5555a1a030ea725b22fa6c42d3ff91dbf7703270b9981c4ca0663e97a205304bfa3d5b16d76f5911b94dd85b

Download Submit
memory/292-35-0x0000000019E70000-0x000000001A152000-memory.dmp

Filesize
2.9MB

Download
memory/292-36-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/296-139-0x0000000000280000-0x000000000046A000-memory.dmp

Filesize
1.9MB

Download
memory/1280-47-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-53-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1280-52-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-54-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-58-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-57-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-55-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-59-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-60-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1280-46-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1300-38-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1300-44-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1300-42-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1300-40-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1300-39-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1300-37-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-114-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2292-76-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2292-74-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2292-72-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2292-70-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2292-68-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2292-66-0x0000000000EE0000-0x00000000010CA000-memory.dmp

Filesize
1.9MB

Download
memory/2656-13-0x0000000000400000-0x0000000000B42000-memory.dmp

Filesize
7.3MB

Download
memory/2668-29-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2668-28-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2700-120-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download