dcrat | bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-02-2025 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Size

1.9MB
MD5

4faf68efc683ae3b08fea9e3e3cc98bc
SHA1

8ecfdee378eaf44d57dd828be621805ed658719a
SHA256

bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb
SHA512

aeb5fde2b04512f163ff0f17a8b31f64802271bf7a601a8555f184b9984dcc5812fc57932b4e3121cbf8fc29b0ccbb18ab5dd87c3e1dd17fc51cf8a2c3f60706
SSDEEP

49152:0F87R2Jr74nDifdT8jWq4Da46sFtndKbbhI:0FVcnLjhtOtnYxI

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Idle.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Idle.exe\", \"C:\\Windows\\Migration\\WTR\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Idle.exe\", \"C:\\Windows\\Migration\\WTR\\dllhost.exe\", \"C:\\Windows\\en-US\\csrss.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Idle.exe\", \"C:\\Windows\\Migration\\WTR\\dllhost.exe\", \"C:\\Windows\\en-US\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Process spawned unexpected child process 16 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2752	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
2032	powershell.exe
1904	powershell.exe
1976	powershell.exe
2332	powershell.exe
1608	powershell.exe
2312	powershell.exe
2452	powershell.exe
1652	powershell.exe
112	powershell.exe
2984	powershell.exe
996	powershell.exe
1252	powershell.exe
2008	powershell.exe
1624	powershell.exe
952	powershell.exe
2148	powershell.exe
2064	powershell.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Idle.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\en-US\\csrss.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows NT\\Idle.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Migration\\WTR\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Migration\\WTR\\dllhost.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\en-US\\csrss.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\WmiPrvSE.exe\""	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4F450EF45434790B3EF402031957E72.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\6ccacd8608530f	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dllhost.exe	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\5940a34987c991	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Program Files\Windows NT\Idle.exe	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\en-US\csrss.exe	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File opened for modification	C:\Windows\en-US\csrss.exe	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Windows\en-US\886983d96e3d3e	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Windows\Migration\WTR\dllhost.exe	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
File created	C:\Windows\Migration\WTR\5940a34987c991	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2516	PING.EXE
2656	PING.EXE
2824	PING.EXE
2880	PING.EXE
2324	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE
2656	PING.EXE
2824	PING.EXE
2880	PING.EXE
2324	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2228	schtasks.exe
1176	schtasks.exe
2904	schtasks.exe
1676	schtasks.exe
2592	schtasks.exe
2160	schtasks.exe
2956	schtasks.exe
1620	schtasks.exe
2056	schtasks.exe
1488	schtasks.exe
2328	schtasks.exe
2444	schtasks.exe
2816	schtasks.exe
2296	schtasks.exe
3028	schtasks.exe
1148	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2020	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	2868	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	2584	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	2292	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	772	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	3064	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
Token: SeDebugPrivilege	1480	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	34
PID 2208 wrote to memory of 1064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	34
PID 2208 wrote to memory of 1064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	34
PID 1064 wrote to memory of 2404	1064	csc.exe	36
PID 1064 wrote to memory of 2404	1064	csc.exe	36
PID 1064 wrote to memory of 2404	1064	csc.exe	36
PID 2208 wrote to memory of 1696	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	52
PID 2208 wrote to memory of 1696	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	52
PID 2208 wrote to memory of 1696	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	52
PID 2208 wrote to memory of 2032	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	99
PID 2208 wrote to memory of 2032	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	99
PID 2208 wrote to memory of 2032	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	99
PID 2208 wrote to memory of 2064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	54
PID 2208 wrote to memory of 2064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	54
PID 2208 wrote to memory of 2064	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	54
PID 2208 wrote to memory of 2452	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	56
PID 2208 wrote to memory of 2452	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	56
PID 2208 wrote to memory of 2452	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	56
PID 2208 wrote to memory of 2312	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	57
PID 2208 wrote to memory of 2312	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	57
PID 2208 wrote to memory of 2312	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	57
PID 2208 wrote to memory of 2148	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	60
PID 2208 wrote to memory of 2148	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	60
PID 2208 wrote to memory of 2148	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	60
PID 2208 wrote to memory of 952	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	61
PID 2208 wrote to memory of 952	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	61
PID 2208 wrote to memory of 952	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	61
PID 2208 wrote to memory of 1252	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	62
PID 2208 wrote to memory of 1252	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	62
PID 2208 wrote to memory of 1252	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	62
PID 2208 wrote to memory of 1608	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	63
PID 2208 wrote to memory of 1608	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	63
PID 2208 wrote to memory of 1608	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	63
PID 2208 wrote to memory of 1624	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	64
PID 2208 wrote to memory of 1624	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	64
PID 2208 wrote to memory of 1624	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	64
PID 2208 wrote to memory of 996	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	65
PID 2208 wrote to memory of 996	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	65
PID 2208 wrote to memory of 996	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	65
PID 2208 wrote to memory of 2008	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	66
PID 2208 wrote to memory of 2008	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	66
PID 2208 wrote to memory of 2008	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	66
PID 2208 wrote to memory of 2984	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	67
PID 2208 wrote to memory of 2984	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	67
PID 2208 wrote to memory of 2984	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	67
PID 2208 wrote to memory of 2332	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	68
PID 2208 wrote to memory of 2332	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	68
PID 2208 wrote to memory of 2332	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	68
PID 2208 wrote to memory of 112	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	69
PID 2208 wrote to memory of 112	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	69
PID 2208 wrote to memory of 112	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	69
PID 2208 wrote to memory of 1652	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	70
PID 2208 wrote to memory of 1652	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	70
PID 2208 wrote to memory of 1652	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	70
PID 2208 wrote to memory of 1976	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	71
PID 2208 wrote to memory of 1976	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	71
PID 2208 wrote to memory of 1976	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	71
PID 2208 wrote to memory of 1904	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	73
PID 2208 wrote to memory of 1904	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	73
PID 2208 wrote to memory of 1904	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	73
PID 2208 wrote to memory of 3068	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	88
PID 2208 wrote to memory of 3068	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	88
PID 2208 wrote to memory of 3068	2208	bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe	88
PID 3068 wrote to memory of 1508	3068	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
"C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ftg2tyj\4ftg2tyj.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93B7.tmp" "c:\Windows\System32\CSC4F450EF45434790B3EF402031957E72.TMP"
    3⤵
    PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3e2pgTlkK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1508
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
    "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat"
      4⤵
      PID:1592
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2772
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SUne2ttkTe.bat"
        6⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat"
        8⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cKRKTUVm6f.bat"
        10⤵
        
        PID:296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"
        12⤵
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat"
        14⤵
        
        PID:264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OwDUg2gYJx.bat"
        16⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bbb" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bbb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-280621445-334555338-127641177-1149653042-1591538582-10724590701361279127-1792755043"
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe

Filesize
1.9MB

MD5
4faf68efc683ae3b08fea9e3e3cc98bc

SHA1
8ecfdee378eaf44d57dd828be621805ed658719a

SHA256
bdd142d15da530d8251259bd34d1881cd29f15722de7d89c91420380eceb09bb

SHA512
aeb5fde2b04512f163ff0f17a8b31f64802271bf7a601a8555f184b9984dcc5812fc57932b4e3121cbf8fc29b0ccbb18ab5dd87c3e1dd17fc51cf8a2c3f60706

Download Submit
C:\Users\Admin\AppData\Local\Temp\02n8fxtMT9.bat

Filesize
230B

MD5
3965f28603835544e0e208424aa60786

SHA1
5a3e6a7b063d2120d30a8eafdfc405b014d6a28d

SHA256
9805e853e0666372270db5718b3e6f260680a53832056a0b70d5b3b7b7eca989

SHA512
6481459184ddac1ce67bc3b1cb3d49fbe1c96737354cfcc6a33a6f4c2b7a191f952636ef5e51ea9ddf7f538f25b0d38b71b7e16549f87f9892ae28564cc8c473

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat

Filesize
278B

MD5
810b83c49a05712c969d6b7f472b6c5c

SHA1
4823e708bbbf6a7d8df31ed9e689d69dcdc8cc6c

SHA256
c273bb95f7755fe47a76fcea7480720c9935ff816ee7f810d27b537b1003dfd4

SHA512
aa79a956cd3674af07ed1da7f649959b9a803aad51196d91c623ebd2afefa8bc5939a55060af0c96867af00faf3c5a44fdd36efa1b8567d661ad284d17f6284d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwDUg2gYJx.bat

Filesize
230B

MD5
5416eb6b719118b6328062b790771f01

SHA1
755712a2f84d3e001b73728dbdd4723a63d51460

SHA256
626f92d84ebee2c372c5617d397d8315703a7f4c6008ece7913778d6ba89f9c1

SHA512
43dac88abf7f3fc2eb60d9b4e99fbab6159f3062bc6217fc25e3c67ad818cf23e839eea31ab2e3c78ac88797f49be8ee4ec08ee465719689dabf0d70f8472656

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93B7.tmp

Filesize
1KB

MD5
2d6e610fde0f20a317ff47d391a52b32

SHA1
774a539ed770d01876608420994a358d0cd5cd66

SHA256
361d56bcfe4866a96e99506cc726ea563e5a9577e26b4d7e3752bae9fe0c76ca

SHA512
f417914f3ae9d321f70012677b9b5ca34cba1fda1bfce547b387b90430cdd78c11159cc419fef5e3a17a233ae259bbf93b6f093657009e83a84ca3266fec4dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUne2ttkTe.bat

Filesize
230B

MD5
927cccaf3b7b50393de6f406ce1caa8a

SHA1
f2c1f9243e7c47a2df161a1f6e5f01544b8376ef

SHA256
b4494a247fad90fca7972d285123d638d3e1bb472bea0b0f33a18dc89e5b971e

SHA512
5666e594a347c43c2d2ed89a159c46152c4ca41c5ef46bd52681322db974c49a5f97070d0d3c72e94870d87774d9aa383d9c2926ee638a2cece262506fb30bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat

Filesize
230B

MD5
84c24817316068e2da46693ffe8059fe

SHA1
96436a353b772ad7be5a6cfbcc130305f26a4fc3

SHA256
52ec566f38fc165c07e7a8f24005dac3d21843352959eaacf5e32e36fcd7b930

SHA512
2f2db9265cd3a6a1f608b2352820000e72364dfde4577e48850040604d5b7cc6bc8f3fb0eb8b549cb6cd1e390d47fdca30477b33c7908371235edd9e1bcbc52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat

Filesize
230B

MD5
48d98f505c1209552b9ea234d4e583b9

SHA1
eac44d44a3321b2b2cde140d4b089b729e92a7a5

SHA256
e9e6688cd50d5741d059e0f2357c732592437e82beda39711dd87e3480fed7ca

SHA512
c21f14a83c6deccb91dd41ae226b692c1cc9bd5c4cf28809b4bdd4df224aebe7c63419dc1275f154482b2a9dd2e0468ea421550f11e94f26d7a791257fa1dea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKRKTUVm6f.bat

Filesize
278B

MD5
3dc3ac06cc62fb2289762c9c1a51def4

SHA1
b4dff60eb6dac1f2a205ad7de4a80f6f903cf133

SHA256
15357c39b0dc0ce0f9e1096d6988de01be71a0fbfccdfdb583111111c42b73d5

SHA512
aef1a001ffc133f46f67ea9887b2bc419eb5be53c809d4041af4de0f76920bd6b5a55dd880405e3c7f9e81d8391b08711f7f5cfe872ab327280735ae813bab2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3e2pgTlkK.bat

Filesize
278B

MD5
9a4b8f8edd89449a4b98f1bad4bca5d8

SHA1
0607457cf329e6ea3d3eccef832993b61074e942

SHA256
a5cb676a417b6c7d66a1948b97723de93e9cbf7d4560839f0c2f16b2ede0b415

SHA512
c4b2c8b50c6bf15a05bb90e59e3df4bfe3cdcfa617b27901fbf56f458940017ac480d449efbf56a379c906af779cb6120b422d19de844e5ad9d797ac6be6a746

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16AUSV6HVTXH6OOYBP44.temp

Filesize
7KB

MD5
31f320e3ac0c91278d1095ad771603d1

SHA1
75263ce330d8d2d9dbf85acf45fb96ee1c212021

SHA256
e160e07be1afc96717d155b8b81b5375a261cd1c4eb16ad6a587e77e403f3ee5

SHA512
f7f55efaa7ea718761c33a286a54f797f4e069bf5b9a2017be716b917f96b6293ba22d23c9dd5ba7e84725e448a3bc3d5044062fa88b7d11b2a6fb87eb51499f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ftg2tyj\4ftg2tyj.0.cs

Filesize
393B

MD5
1b50245a714553323b81acef17d2d9c8

SHA1
f5b20c2bdadfc17945947c1909f8aef38a1887f8

SHA256
e01dcf3d5dc248dab01df5f1c9d7c30a8af4473b458e7f62b523f5f1c7265b0b

SHA512
3ccf648eda47c77c8ff96b9d233b4543c9e6645c161629b45c63568f52643cc31334bc2a25a66112d337c50fbc66c29728e82964c7a59f0a4e916ffcef901918

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ftg2tyj\4ftg2tyj.cmdline

Filesize
235B

MD5
0e64da0950ba99a154ee27f47a5129aa

SHA1
bdb3338dfcb38f6e17decceb2ab108c902728b74

SHA256
efe85774ef66b926f6f90f36d428f14bcf707366c57ad89b68dad9a8b037700b

SHA512
3f654dc2e568a07e5de3e619dd119abb36b7f1e86147c1b3d4069ea00772c0b3abc44d75e757e9a138bec7a16adf9e15116e0894e4f8f039b187e4ddc111ca45

Download Submit
\??\c:\Windows\System32\CSC4F450EF45434790B3EF402031957E72.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/772-197-0x0000000000280000-0x0000000000478000-memory.dmp

Filesize
2.0MB

Download
memory/2020-146-0x0000000000C70000-0x0000000000E68000-memory.dmp

Filesize
2.0MB

Download
memory/2208-9-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-13-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/2208-36-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2208-19-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2208-20-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-34-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-53-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-15-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/2208-1-0x0000000000220000-0x0000000000418000-memory.dmp

Filesize
2.0MB

Download
memory/2208-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-35-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-33-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-11-0x00000000001D0000-0x00000000001E8000-memory.dmp

Filesize
96KB

Download
memory/2208-3-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-21-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-8-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2208-6-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2208-4-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-17-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/2332-129-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2332-64-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2868-159-0x0000000000F00000-0x00000000010F8000-memory.dmp

Filesize
2.0MB

Download
memory/3064-210-0x00000000013E0000-0x00000000015D8000-memory.dmp

Filesize
2.0MB

Download