dcrat | 2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
Size

7.2MB
MD5

235215e48c6b826e256d5918cbb1b0da
SHA1

7045d2e4da8d6102e3e199af4b848cac4ca934e1
SHA256

2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91
SHA512

feb1b3315da05d4466be68c6bb70dfdeaeaf8cb92ced1023db84c0d66a1b40e7f0fa9bad2d9e421b580887e1134dc7e30a25d5f9dc48f4e0cb780ebd93899df4
SSDEEP

196608:FPU+TdWWQbrlUIxOthZr2GbxuvzN5wWYNRdRT:JU+T4LbrlbxOFr2GFuv7+NRL

Score

10^/10

dcrat xmrig defense_evasion discovery execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\Application Data\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\Application Data\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Users\\All Users\\Application Data\\sihost.exe\""	WIndowsDefendirCore.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4844	schtasks.exe	146
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4844	schtasks.exe	146

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3516-83-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-82-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-86-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-88-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-87-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-85-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-89-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-212-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3516-213-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe
852	powershell.exe
2060	powershell.exe
3272	powershell.exe
1036	powershell.exe
2560	powershell.exe
3596	powershell.exe
2940	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	WIndowsDefendirCore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	New.exe

Executes dropped EXE 5 IoCs

pid	Process
1356	New.exe
3488	build.exe
464	bjqgtalbkeyq.exe
2380	WIndowsDefendirCore.exe
2340	sppsvc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\Application Data\\sihost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\Application Data\\sihost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sppsvc.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	WIndowsDefendirCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIndowsDefendirCore = "\"C:\\Users\\Admin\\AppData\\Roaming\\DirecctX\\WIndowsDefendirCore.exe\""	WIndowsDefendirCore.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
20	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2200	powercfg.exe
2388	powercfg.exe
1940	powercfg.exe
1360	powercfg.exe
768	powercfg.exe
2924	powercfg.exe
556	powercfg.exe
4888	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bjqgtalbkeyq.exe
File created	\??\c:\Windows\System32\CSCAFB1A1C8D6C14D5CBF5555B3A82FE7C.TMP	csc.exe
File created	\??\c:\Windows\System32\1mirkm.exe	csc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 464 set thread context of 1704	464	bjqgtalbkeyq.exe	140
PID 464 set thread context of 3516	464	bjqgtalbkeyq.exe	143

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-78-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-82-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-85-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-212-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3516-213-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	WIndowsDefendirCore.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	WIndowsDefendirCore.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382	WIndowsDefendirCore.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe	WIndowsDefendirCore.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\0a1fd5f707cd16	WIndowsDefendirCore.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\WIndowsDefendirCore.exe	WIndowsDefendirCore.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\aa10ce1a1a1abf	WIndowsDefendirCore.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3580	sc.exe
4084	sc.exe
4520	sc.exe
4508	sc.exe
1488	sc.exe
1408	sc.exe
1660	sc.exe
2480	sc.exe
4568	sc.exe
644	sc.exe
2460	sc.exe
3364	sc.exe
3872	sc.exe
1628	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	New.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	WIndowsDefendirCore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe
1556	schtasks.exe
4944	schtasks.exe
2200	schtasks.exe
1904	schtasks.exe
3680	schtasks.exe
2224	schtasks.exe
3824	schtasks.exe
2972	schtasks.exe
3820	schtasks.exe
3448	schtasks.exe
1100	schtasks.exe
224	schtasks.exe
4336	schtasks.exe
2804	schtasks.exe
2220	schtasks.exe
1576	schtasks.exe
4716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	build.exe
2560	powershell.exe
2560	powershell.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
3488	build.exe
464	bjqgtalbkeyq.exe
3596	powershell.exe
3596	powershell.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
464	bjqgtalbkeyq.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
3516	explorer.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe
2380	WIndowsDefendirCore.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeShutdownPrivilege	556	powercfg.exe
Token: SeCreatePagefilePrivilege	556	powercfg.exe
Token: SeShutdownPrivilege	4888	powercfg.exe
Token: SeCreatePagefilePrivilege	4888	powercfg.exe
Token: SeShutdownPrivilege	2200	powercfg.exe
Token: SeCreatePagefilePrivilege	2200	powercfg.exe
Token: SeShutdownPrivilege	2388	powercfg.exe
Token: SeCreatePagefilePrivilege	2388	powercfg.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeCreatePagefilePrivilege	1360	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeCreatePagefilePrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	2924	powercfg.exe
Token: SeCreatePagefilePrivilege	2924	powercfg.exe
Token: SeShutdownPrivilege	1940	powercfg.exe
Token: SeCreatePagefilePrivilege	1940	powercfg.exe
Token: SeLockMemoryPrivilege	3516	explorer.exe
Token: SeDebugPrivilege	2380	WIndowsDefendirCore.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2340	sppsvc.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1356	1976	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	86
PID 1976 wrote to memory of 1356	1976	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	86
PID 1976 wrote to memory of 1356	1976	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	86
PID 1976 wrote to memory of 3488	1976	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	87
PID 1976 wrote to memory of 3488	1976	2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe	87
PID 1356 wrote to memory of 1052	1356	New.exe	88
PID 1356 wrote to memory of 1052	1356	New.exe	88
PID 1356 wrote to memory of 1052	1356	New.exe	88
PID 3296 wrote to memory of 4168	3296	cmd.exe	95
PID 3296 wrote to memory of 4168	3296	cmd.exe	95
PID 4072 wrote to memory of 3180	4072	cmd.exe	127
PID 4072 wrote to memory of 3180	4072	cmd.exe	127
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 1704	464	bjqgtalbkeyq.exe	140
PID 464 wrote to memory of 3516	464	bjqgtalbkeyq.exe	143
PID 464 wrote to memory of 3516	464	bjqgtalbkeyq.exe	143
PID 464 wrote to memory of 3516	464	bjqgtalbkeyq.exe	143
PID 464 wrote to memory of 3516	464	bjqgtalbkeyq.exe	143
PID 464 wrote to memory of 3516	464	bjqgtalbkeyq.exe	143
PID 1052 wrote to memory of 668	1052	WScript.exe	147
PID 1052 wrote to memory of 668	1052	WScript.exe	147
PID 1052 wrote to memory of 668	1052	WScript.exe	147
PID 668 wrote to memory of 2380	668	cmd.exe	149
PID 668 wrote to memory of 2380	668	cmd.exe	149
PID 2380 wrote to memory of 4168	2380	WIndowsDefendirCore.exe	153
PID 2380 wrote to memory of 4168	2380	WIndowsDefendirCore.exe	153
PID 4168 wrote to memory of 2172	4168	csc.exe	155
PID 4168 wrote to memory of 2172	4168	csc.exe	155
PID 2380 wrote to memory of 2940	2380	WIndowsDefendirCore.exe	171
PID 2380 wrote to memory of 2940	2380	WIndowsDefendirCore.exe	171
PID 2380 wrote to memory of 1036	2380	WIndowsDefendirCore.exe	172
PID 2380 wrote to memory of 1036	2380	WIndowsDefendirCore.exe	172
PID 2380 wrote to memory of 3272	2380	WIndowsDefendirCore.exe	173
PID 2380 wrote to memory of 3272	2380	WIndowsDefendirCore.exe	173
PID 2380 wrote to memory of 2060	2380	WIndowsDefendirCore.exe	174
PID 2380 wrote to memory of 2060	2380	WIndowsDefendirCore.exe	174
PID 2380 wrote to memory of 852	2380	WIndowsDefendirCore.exe	175
PID 2380 wrote to memory of 852	2380	WIndowsDefendirCore.exe	175
PID 2380 wrote to memory of 2012	2380	WIndowsDefendirCore.exe	176
PID 2380 wrote to memory of 2012	2380	WIndowsDefendirCore.exe	176
PID 2380 wrote to memory of 1572	2380	WIndowsDefendirCore.exe	183
PID 2380 wrote to memory of 1572	2380	WIndowsDefendirCore.exe	183
PID 1572 wrote to memory of 2320	1572	cmd.exe	185
PID 1572 wrote to memory of 2320	1572	cmd.exe	185
PID 1572 wrote to memory of 3444	1572	cmd.exe	186
PID 1572 wrote to memory of 3444	1572	cmd.exe	186
PID 1572 wrote to memory of 2340	1572	cmd.exe	188
PID 1572 wrote to memory of 2340	1572	cmd.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe
"C:\Users\Admin\AppData\Local\Temp\2bcb3e1d1935ef764abf3b1e44a5d8a310be0f863253ea746ef3875316a43a91.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\New.exe
  "C:\Users\Admin\AppData\Local\Temp\New.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe
        
        "C:\Users\Admin\AppData\Roaming\DirecctX/WIndowsDefendirCore.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnzeqnmk\qnzeqnmk.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BFF.tmp" "c:\Windows\System32\CSCAFB1A1C8D6C14D5CBF5555B3A82FE7C.TMP"
        7⤵
        
        PID:2172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TW5DUJKlHR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3444
        
        C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4168
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4084
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:3872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ZNALQAQP" binpath= "C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ZNALQAQP"
    3⤵
    - Launches sc.exe
    PID:1628

C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
C:\ProgramData\xkfaujlbhedp\bjqgtalbkeyq.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3180
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2480
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:644
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1704
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCore" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WIndowsDefendirCoreW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a1eeec361ba5d0671ba459c85a6e1d7

SHA1
a51cdcd13a6b13e842a2ee977f6d1091d63d706f

SHA256
8804fca07f0a87233d848fc260b92e03567ecbee6f903fa0594cb78b11730174

SHA512
c41e69d0485c031e49d2505bf531579134147d983d19c3d7d5e3c8f7f6eea5441c830c3eda0f396b54737f30157c9543b68901a79e919ab9f6cc93e6beea345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1008cfb29cdc25b4180c736ec404335

SHA1
39760fbcc8c1a64e856e98d61ce194d39b727438

SHA256
0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

SHA512
00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\New.exe

Filesize
2.2MB

MD5
f949e6359bde9144353763e9b2e2142f

SHA1
8a12f6962a7ba1e7cb14eb4bdd92c4d192126b0f

SHA256
224c639c421a65b7d21cc3783de7b337927065bae7c14de84cb25dcea2b79db8

SHA512
fad2e708d8b03f7f32e72bdbf7780c5ca4f39f19f17cdc6571a12bce4977fd5a4e718ec5f5961e444bf159ff5c39e44a5300e1ff1c15ad385348061f7c7cdb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BFF.tmp

Filesize
1KB

MD5
8523954a62b4cda10987b30a04a5c89a

SHA1
529414baf404b2fd36fa6edbb45973628e1be369

SHA256
918dc99a9405d5be77390df1e9320741d1a7b732a69b3f5403e32aba9766d5c5

SHA512
a10b09cb1d89576c6ba16075e7c475a27ecadf261be51f83d45bcc9babbae5e1f139c819c5f76b019a937691d0aa58df39fa58b99c928447b9bbe08e0407ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TW5DUJKlHR.bat

Filesize
230B

MD5
d194bea1a09002501a4520ec7b542c28

SHA1
f223ab787fa5ea7d8eb9fbfe82d57ada891a3a83

SHA256
60d0fdab1a7b13dae919f53cc17eb32f9933022ce6472e8bc60f6f586eb617fc

SHA512
73eb3132542a227aeec5cdc2201188f413f6e908b1e117f35739fb8274eaab61514ed32103fd91af4cf108969e41a23ebeee5eefceb26178ea3d02420b305d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mri3frk.j4b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
5.0MB

MD5
18d911bff318971dfcbc17779653d85b

SHA1
ce8f083dbb1bbf54f2e8f5cedbae08a39b840ced

SHA256
a762eb90202786607f19417fc0d199b0bf5de141a7f150eb607277bc8fe25d32

SHA512
49785c81667c748c6f4e062f239df9edef063ec89cde0bac7ba266ef96456d0ec480f990dc6e9fe2f590dc7250fc1465e7147cc469292b2cbb5576dee6214202

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\WIndowsDefendirCore.exe

Filesize
1.9MB

MD5
254c53120741d9866651de36cd0be8da

SHA1
01025412a8dbf5d4b5a4f07a38158a6a5f0fe1b1

SHA256
f17e8166f08cfc46e520826cc833c6c6fed0557677d59078f7368900f8908626

SHA512
34ebe9833f0adff42fa96e2240165e489984c4be5555a1a030ea725b22fa6c42d3ff91dbf7703270b9981c4ca0663e97a205304bfa3d5b16d76f5911b94dd85b

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\emdqIIr51ANxc8YnT8oM67sWOC7lQfL50WxcLdlgUyJcLXMn.bat

Filesize
83B

MD5
1352bcf0074f83167937d0b792c87422

SHA1
1fccfc8e6e58c157a108b419b059bf56a376218e

SHA256
a8e94b3d8f08f7363d67b3d878a13a3f6bcedb7bf2c30bd12013a1274cdd5eb8

SHA512
7e7e7685ded282f260399f4914d30d3f66fc16718e37ecfe7120211c416c1ec61c0a8f9c53219714bc243e10417955eca1d808fb650b749cdd30deb2b95c12a7

Download Submit
C:\Users\Admin\AppData\Roaming\DirecctX\xxNjaoakdqlq77rW9ny37esSaaIYvVrl9XvRF2EmRo3BjUX9SZCU8jwS.vbe

Filesize
242B

MD5
1b498932bffb477f2d766265c95027c8

SHA1
e5e6782b8a085660a0fb18d0c22dd8badd143ca7

SHA256
7daf3de82393f499ae2c49ad5bf4e90ffa6202358719a2fb5d630483fa30faec

SHA512
319022a1ebfbd5343f309bbbc340ae8c1541074202f28406052426e72483a498417f92bd88c993fd13f48bc6ea9a8d8c16f93ac68e6c2ad33a24fec0b656a942

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnzeqnmk\qnzeqnmk.0.cs

Filesize
415B

MD5
5fb62a25ea5aef27cf0074058e8e90e9

SHA1
6101cf60d1ea75ae009da07eeacd777078dc1cda

SHA256
5d8fa88b157389a1137ead076afcb2e9a0f90aeee435a075eb71346e26d3699c

SHA512
1165de41162cb5756cd02351b46192136de7fcf611de4c47cf48b3aed1bd715c8ce9596507e059843f55ee99e36261debc22961fe3217a67650fc8e460dabff4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnzeqnmk\qnzeqnmk.cmdline

Filesize
235B

MD5
efc0db53f81a604e652874cbfe8c097e

SHA1
bb2d47b8ba982938bdbf6d84b17cf8cee5340013

SHA256
cd455a156b5c1ba62825f024652df7b5f1a559a73b5bb1f9d7714e1a1d40d4bf

SHA512
a94debd711098862d5d8a3080151716d54ac60dd088ba9d3584cd89f981e04a9a103519b17bfe26d05549c5762536cc79df2ce063b8f3fafba6ac38a8529ee0d

Download Submit
\??\c:\Windows\System32\CSCAFB1A1C8D6C14D5CBF5555B3A82FE7C.TMP

Filesize
1KB

MD5
63dccfbcf5aba924ef5ebcbd2e0a0be4

SHA1
5e7dffbe92be4bb13d57ad76f4ae647fac591097

SHA256
897a3e81ae434a8b737a8ccb59ff24479f8ecfbec18ce165afce3beda4a40dbe

SHA512
9a3035de25fce4f51c26961e800c3efbe462c69d44005edd7abc06cd901bd24e935c14c745ff786f2d8fd00f174bf8d0c479321e9eb4427740223639b09d4202

Download Submit
memory/1704-71-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1704-76-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1704-70-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1704-72-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1704-69-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1704-73-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1976-14-0x0000000000400000-0x0000000000B42000-memory.dmp

Filesize
7.3MB

Download
memory/2340-211-0x000000001BAB0000-0x000000001BB1B000-memory.dmp

Filesize
428KB

Download
memory/2380-101-0x000000001BFB0000-0x000000001BFC8000-memory.dmp

Filesize
96KB

Download
memory/2380-99-0x000000001C000000-0x000000001C050000-memory.dmp

Filesize
320KB

Download
memory/2380-98-0x000000001BC30000-0x000000001BC4C000-memory.dmp

Filesize
112KB

Download
memory/2380-96-0x0000000003010000-0x000000000301E000-memory.dmp

Filesize
56KB

Download
memory/2380-103-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

Filesize
72KB

Download
memory/2380-105-0x0000000003020000-0x000000000302C000-memory.dmp

Filesize
48KB

Download
memory/2380-94-0x0000000000E60000-0x000000000104A000-memory.dmp

Filesize
1.9MB

Download
memory/2380-135-0x000000001C390000-0x000000001C3FB000-memory.dmp

Filesize
428KB

Download
memory/2560-25-0x0000021A1A3F0000-0x0000021A1A412000-memory.dmp

Filesize
136KB

Download
memory/3516-84-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download
memory/3516-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-85-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-82-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-78-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-213-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3516-212-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3596-63-0x0000029B6E7F0000-0x0000029B6E80A000-memory.dmp

Filesize
104KB

Download
memory/3596-64-0x0000029B6E7A0000-0x0000029B6E7A8000-memory.dmp

Filesize
32KB

Download
memory/3596-62-0x0000029B6E790000-0x0000029B6E79A000-memory.dmp

Filesize
40KB

Download
memory/3596-61-0x0000029B6E7B0000-0x0000029B6E7CC000-memory.dmp

Filesize
112KB

Download
memory/3596-60-0x0000029B6E640000-0x0000029B6E64A000-memory.dmp

Filesize
40KB

Download
memory/3596-59-0x0000029B6E580000-0x0000029B6E635000-memory.dmp

Filesize
724KB

Download
memory/3596-58-0x0000029B6E560000-0x0000029B6E57C000-memory.dmp

Filesize
112KB

Download
memory/3596-65-0x0000029B6E7D0000-0x0000029B6E7D6000-memory.dmp

Filesize
24KB

Download
memory/3596-66-0x0000029B6E7E0000-0x0000029B6E7EA000-memory.dmp

Filesize
40KB

Download