dcrat | 11d8980ca6e1f41a7ede9bf1aca61638bbf024ac1a38eb4b0424f6dbc79d991d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Size

1.9MB
MD5

6b9554367a439d39a00a0dff9a08b123
SHA1

e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA512

72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
SSDEEP

49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2712	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
2064	powershell.exe
2444	powershell.exe
1808	powershell.exe
2188	powershell.exe
2160	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2312	dwm.exe
1824	dwm.exe
2028	dwm.exe
2164	dwm.exe
1236	dwm.exe
2768	dwm.exe
784	dwm.exe
2268	dwm.exe
1384	dwm.exe
3032	dwm.exe
812	dwm.exe
1032	dwm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Program Files (x86)\\Reference Assemblies\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB652B1A182545888EF8AA54B38BAAD.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Reference Assemblies\044500db1eb820	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\0a1fd5f707cd16	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\dwm.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Windows\Fonts\6cb0b6c459d5d3	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Windows\schemas\TSWorkSpace\winlogon.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Windows\Fonts\dwm.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1520	PING.EXE
2592	PING.EXE
2248	PING.EXE
2584	PING.EXE
2576	PING.EXE
700	PING.EXE
2636	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
700	PING.EXE
2636	PING.EXE
1520	PING.EXE
2592	PING.EXE
2248	PING.EXE
2584	PING.EXE
2576	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
1020	schtasks.exe
2020	schtasks.exe
2424	schtasks.exe
2000	schtasks.exe
2952	schtasks.exe
1908	schtasks.exe
2816	schtasks.exe
2356	schtasks.exe
1656	schtasks.exe
3068	schtasks.exe
2640	schtasks.exe
1948	schtasks.exe
988	schtasks.exe
1640	schtasks.exe
2788	schtasks.exe
2612	schtasks.exe
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2312	dwm.exe
Token: SeDebugPrivilege	1824	dwm.exe
Token: SeDebugPrivilege	2028	dwm.exe
Token: SeDebugPrivilege	2164	dwm.exe
Token: SeDebugPrivilege	1236	dwm.exe
Token: SeDebugPrivilege	2768	dwm.exe
Token: SeDebugPrivilege	784	dwm.exe
Token: SeDebugPrivilege	2268	dwm.exe
Token: SeDebugPrivilege	1384	dwm.exe
Token: SeDebugPrivilege	3032	dwm.exe
Token: SeDebugPrivilege	812	dwm.exe
Token: SeDebugPrivilege	1032	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 304	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	34
PID 3060 wrote to memory of 304	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	34
PID 3060 wrote to memory of 304	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	34
PID 304 wrote to memory of 2648	304	csc.exe	36
PID 304 wrote to memory of 2648	304	csc.exe	36
PID 304 wrote to memory of 2648	304	csc.exe	36
PID 3060 wrote to memory of 2188	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	52
PID 3060 wrote to memory of 2188	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	52
PID 3060 wrote to memory of 2188	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	52
PID 3060 wrote to memory of 2160	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	53
PID 3060 wrote to memory of 2160	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	53
PID 3060 wrote to memory of 2160	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	53
PID 3060 wrote to memory of 2432	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	54
PID 3060 wrote to memory of 2432	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	54
PID 3060 wrote to memory of 2432	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	54
PID 3060 wrote to memory of 2064	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	56
PID 3060 wrote to memory of 2064	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	56
PID 3060 wrote to memory of 2064	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	56
PID 3060 wrote to memory of 2444	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	57
PID 3060 wrote to memory of 2444	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	57
PID 3060 wrote to memory of 2444	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	57
PID 3060 wrote to memory of 1808	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	58
PID 3060 wrote to memory of 1808	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	58
PID 3060 wrote to memory of 1808	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	58
PID 3060 wrote to memory of 1296	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	64
PID 3060 wrote to memory of 1296	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	64
PID 3060 wrote to memory of 1296	3060	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	64
PID 1296 wrote to memory of 2012	1296	cmd.exe	66
PID 1296 wrote to memory of 2012	1296	cmd.exe	66
PID 1296 wrote to memory of 2012	1296	cmd.exe	66
PID 1296 wrote to memory of 700	1296	cmd.exe	67
PID 1296 wrote to memory of 700	1296	cmd.exe	67
PID 1296 wrote to memory of 700	1296	cmd.exe	67
PID 1296 wrote to memory of 2312	1296	cmd.exe	69
PID 1296 wrote to memory of 2312	1296	cmd.exe	69
PID 1296 wrote to memory of 2312	1296	cmd.exe	69
PID 2312 wrote to memory of 2744	2312	dwm.exe	70
PID 2312 wrote to memory of 2744	2312	dwm.exe	70
PID 2312 wrote to memory of 2744	2312	dwm.exe	70
PID 2744 wrote to memory of 2656	2744	cmd.exe	72
PID 2744 wrote to memory of 2656	2744	cmd.exe	72
PID 2744 wrote to memory of 2656	2744	cmd.exe	72
PID 2744 wrote to memory of 2636	2744	cmd.exe	73
PID 2744 wrote to memory of 2636	2744	cmd.exe	73
PID 2744 wrote to memory of 2636	2744	cmd.exe	73
PID 2744 wrote to memory of 1824	2744	cmd.exe	74
PID 2744 wrote to memory of 1824	2744	cmd.exe	74
PID 2744 wrote to memory of 1824	2744	cmd.exe	74
PID 1824 wrote to memory of 1984	1824	dwm.exe	75
PID 1824 wrote to memory of 1984	1824	dwm.exe	75
PID 1824 wrote to memory of 1984	1824	dwm.exe	75
PID 1984 wrote to memory of 2000	1984	cmd.exe	77
PID 1984 wrote to memory of 2000	1984	cmd.exe	77
PID 1984 wrote to memory of 2000	1984	cmd.exe	77
PID 1984 wrote to memory of 1520	1984	cmd.exe	78
PID 1984 wrote to memory of 1520	1984	cmd.exe	78
PID 1984 wrote to memory of 1520	1984	cmd.exe	78
PID 1984 wrote to memory of 2028	1984	cmd.exe	79
PID 1984 wrote to memory of 2028	1984	cmd.exe	79
PID 1984 wrote to memory of 2028	1984	cmd.exe	79
PID 2028 wrote to memory of 2628	2028	dwm.exe	80
PID 2028 wrote to memory of 2628	2028	dwm.exe	80
PID 2028 wrote to memory of 2628	2028	dwm.exe	80
PID 2628 wrote to memory of 900	2628	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iw3ckhwl\iw3ckhwl.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC17.tmp" "c:\Windows\System32\CSCB652B1A182545888EF8AA54B38BAAD.TMP"
    3⤵
    PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AnS9fsWjvo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2012
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:700
- - C:\Windows\Fonts\dwm.exe
    "C:\Windows\Fonts\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2656
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
    - - C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2592
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ll0PvUMuW1.bat"
        10⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1936
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
        12⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2544
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DK6554V6Uz.bat"
        14⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\55qZ0E2uab.bat"
        16⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1640
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PdP1UB7pUq.bat"
        18⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat"
        20⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9s0LWASh3.bat"
        22⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:932
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtO4vJVMF8.bat"
        24⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1908
        
        C:\Windows\Fonts\dwm.exe
        
        "C:\Windows\Fonts\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe

Filesize
1.9MB

MD5
6b9554367a439d39a00a0dff9a08b123

SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3

SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\55qZ0E2uab.bat

Filesize
200B

MD5
78c7edb64281fc8e1f0578b384e8f6fa

SHA1
8a6d10bfba6961314e43e7bf018d809701a0efef

SHA256
f45a739d6a75eeae595bcf754803591628c9d0aad852af7419f2e01c737311eb

SHA512
fe67c1427468b8177008d11677c99feafcabfa8e4407a0e717cf8b8a27895fc055a6f8c191c379397284f442c7687dc8e49b9c2c41e32c0fdd7cc12a620576d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9s0LWASh3.bat

Filesize
200B

MD5
7a2bfb03c19fe35b6a136c25766698f3

SHA1
a2904dc577355e6ec510ae2e7092dc0fd3d67782

SHA256
12639e02a99dc364baa0beb262e7fbd6738cc5a50cd06ef2cbb2171581da3f77

SHA512
809e02a0e0992b2ebf5e3b8ee491ed89f1e8a4cf72a0fad9c3aaeebf162a3224e439c1524e2cc040f81edf49921079ae58ca62e38adc868495eb2259dd3c23ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnS9fsWjvo.bat

Filesize
152B

MD5
f00dd4161a60609d38b795ef71065840

SHA1
4233ad99c0ae6804389c9ad13597c6ab11fc45fb

SHA256
d49720b4649a9255deac6dcf8e103a7835b7034c626b0c48a21c1e3e59840aa3

SHA512
1191e6f77d7204877606cd13b29d7b66959080f12e736eb7c33455999b55fb9ef1211e70fe26c4d6a081d6c41135b1bdeabf72e9e51c713f0fb2b6f65685cceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DK6554V6Uz.bat

Filesize
152B

MD5
7e398f5827905c17a328a75705569aeb

SHA1
b3f2580ef2b69c75e8cbabb78dec474f7dd800df

SHA256
b9dcc126ecc347612dc9fd3f5c441c69f783f25997bf3dcabb55cca44a5e5249

SHA512
d13d9f0d1d3f64283b0326e5a4eb3e1ab092746e994d7b1aef19ed7b42e622812eea68ab94c8117d4fbd71ccbaafec5a253ceb9c7253bba8bfcc8c482e70d603

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCUhdmH1So.bat

Filesize
152B

MD5
c016803a9ae3202c1cf2d922b9afd614

SHA1
7557eadcbd38af9ec91badd34f309f03a144c62d

SHA256
3605d976bb169ba5c97d48461cf0a7c6135f963dbd2e32d076773f18deca2031

SHA512
5258b349da6461b8299c3f61f6f38ceb71b2e3cb8a76cedf3003b513d190f9e06bc7031a626d6beb43287ba15c28890e0c5544161216a62840a10d40996ce234

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ll0PvUMuW1.bat

Filesize
200B

MD5
d3be3f5fbd5a09eee79358620717be62

SHA1
358351f36ce5181269c1c38d87da1258689a9ecb

SHA256
73cf57af56398a779aab111fe08f063865a568f5dfcb7c4f5bbfbf9545fed49b

SHA512
d1a03c205970a1d9291b9075c4a0bd3653df7d0f6d4f0154067dc9d071d434bd28bf5d570a47aac19bf92deb2e2ef19298b4db2b5cefb3cd97471de933a2ae20

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdP1UB7pUq.bat

Filesize
152B

MD5
abd1de0cfdba8c06cef17b9cd7ea70cb

SHA1
d9b86ec76f1a46c1f9545e8bfc99a8934f91a35c

SHA256
1abb8bcf195635cc11cdf4fe6e39d9faf535655221f5c09bdde90cb4062fa73f

SHA512
c7f394e0a24ab0984e42350da4bd81292b0c3aa31cdde67bc13f1a509eded6adb89da9d1594c70792c4a7cfc4154fd6cc36bc3597864ca3e1f361820e0422e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAC17.tmp

Filesize
1KB

MD5
4931a45654ec4ff2a0735c11e48ad66d

SHA1
cab878746c8da6a87165e66dab769038f61748ba

SHA256
a24eb32a943863b26d2d593a02c274d8c914fb33fe62de53e12ad44f1e3fbfa5

SHA512
15b61c18196f2ff1bb875c8c5c2086be0a89698a83a91691c82f292cbc2c7ebea7515bd1fd98351d70fdc84e0ed44f679ff5ef6f745ab618b97532594f1027a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat

Filesize
200B

MD5
41d397179f7ee81a6490f0442d654541

SHA1
608f4ce0c9389de22687048e09825d3e45d1c663

SHA256
2b6df5892f466c71705c5304ae8ab70a001fa2a82659b7c2ebca962ded67075c

SHA512
b59675c868a90da15c2b8d35873aa03ffdf9171ea8bcc321d6ae9575bc11dae3bbbf18062b1ee2c91092645c7ab7210fddf21cc6decc0b0bff3a50873d75c2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat

Filesize
152B

MD5
7c59e8b4acc3b3c900964d820d276726

SHA1
758ec1311a3ace82162ff5b1c98c915aea25c268

SHA256
323a0500e8d081a0e744fded89ab9a12a300fbf5e8becdb6c83a5bc8556c815c

SHA512
de550b50c859799184c7871d2813dda81cde3ee8ba4c811cf1b1353c1653c059e9d4351af10078c47f4b2c61e4f2c7715ab484a5f64151b76c29137e60bbafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat

Filesize
152B

MD5
67dfd9ec9c39abbd6c50221307b5df54

SHA1
90ffaac03a9dd0c0eb3821854bd7b9454a14be8c

SHA256
33989f796fee3edd212f55c66989ccef41b7b26613699dbca1268505108835c8

SHA512
5121619eba9d43735049dd88da2bb06a669505b0b96d06723f7d7ba5a7e6e9f933a2d34c49e3c0bcfc203558db2a0914229a48101e4108cd1078d59f591ff2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
152B

MD5
61025f6d1f432ada46c4ca257fa634fc

SHA1
5fe2b26d9b04bed40b23a6c2179e6f4f0a68d713

SHA256
91341796f3f8a55502f1ad4a3a44e58b568853ee67d7495068165785e2bbefd0

SHA512
54071a6f557c36a54db0235df8e044ae323fa22cd14c4ce6e8c943bfcc40e9fef3865d82cec0200590366b63b72c8d8631347f1ce072509ead45f92c98fcdc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtO4vJVMF8.bat

Filesize
200B

MD5
f68bc85eed3db9c635389d7dccf6e71a

SHA1
c02072e68f85567dd3888b765915c86f87e4abea

SHA256
5e5b9265e1ff33d668d56cf67b35fefbffb79bc377c90a18081cc35884344797

SHA512
4f171af0ae0a2c25624aa1327a7182103cfc98adc7a7a5a3b41f709cea76e40c7739c5be9b960a9a89f9debd91d6ca5fd7243ce78644a14637ffb8c072744875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TL0USFQTNL2NC5KB3Z1V.temp

Filesize
7KB

MD5
d3d7a986e28c570bb6bc92d2042ef328

SHA1
83ffaa9c9b21e9e400667994c23648721ffbd265

SHA256
2bc0231e54b2df1b4e835e3553abd6a64ed941f50389cd8e5c8c08ed92e29e28

SHA512
0e656d7dbcb068b6b2550b16827609786331646a1c8a262e9f5ca2e8fb32253f60391605d24be7a75bf146145e5a32461575dfbae74d4d66a37434802e1c91ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iw3ckhwl\iw3ckhwl.0.cs

Filesize
382B

MD5
d12fa106a3c047dcbb31f35f6b9bdbe6

SHA1
76393ec0438867ec4ebccc853a11b88a4eac5c1c

SHA256
9ddff7b72f4e35fab93244f66a3550cda0138a96f277361b7ca5532157b20486

SHA512
66672e80fd01624bae9c32c9673210ad36c68f4b7bb54abded3f4ec74c2805561c5ca11509099795b395cfdbd3659f6a6efd471060d4614de8a200b0287c4a6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iw3ckhwl\iw3ckhwl.cmdline

Filesize
235B

MD5
061edc83d8133661f47e4033780f1b70

SHA1
22d18e334b3dc29ef515c9aae89da3cc55678bfc

SHA256
341f451b19ed085a30c9e6034e02d1a71c43b65f54b31264c26e201c75b8c313

SHA512
ce86cc3aae2a9bc74953fcbd364c3f09d01921358e4df01ce82466dedfd62974b671ebbf16f1d3a935d6567209f8bdb4149b077c1ea0985591f9e9913b3e88bd

Download Submit
\??\c:\Windows\System32\CSCB652B1A182545888EF8AA54B38BAAD.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/784-172-0x0000000000350000-0x0000000000544000-memory.dmp

Filesize
2.0MB

Download
memory/812-229-0x0000000001010000-0x0000000001204000-memory.dmp

Filesize
2.0MB

Download
memory/1032-243-0x0000000001130000-0x0000000001324000-memory.dmp

Filesize
2.0MB

Download
memory/1236-143-0x0000000000240000-0x0000000000434000-memory.dmp

Filesize
2.0MB

Download
memory/1384-200-0x0000000000040000-0x0000000000234000-memory.dmp

Filesize
2.0MB

Download
memory/1824-101-0x0000000000060000-0x0000000000254000-memory.dmp

Filesize
2.0MB

Download
memory/2028-115-0x0000000001020000-0x0000000001214000-memory.dmp

Filesize
2.0MB

Download
memory/2160-72-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/2160-61-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2164-129-0x0000000001210000-0x0000000001404000-memory.dmp

Filesize
2.0MB

Download
memory/2268-186-0x00000000009E0000-0x0000000000BD4000-memory.dmp

Filesize
2.0MB

Download
memory/2312-87-0x00000000012C0000-0x00000000014B4000-memory.dmp

Filesize
2.0MB

Download
memory/2768-157-0x0000000001110000-0x0000000001304000-memory.dmp

Filesize
2.0MB

Download
memory/3032-214-0x0000000000BB0000-0x0000000000DA4000-memory.dmp

Filesize
2.0MB

Download
memory/3060-17-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/3060-12-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/3060-22-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-20-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-19-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/3060-26-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-83-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-13-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-15-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/3060-23-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-35-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-10-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/3060-8-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/3060-6-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/3060-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/3060-4-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-3-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-2-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-1-0x0000000000EA0000-0x0000000001094000-memory.dmp

Filesize
2.0MB

Download