dcrat | a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Size

1.8MB
MD5

7aeff3c38c61da155b557c651866241d
SHA1

5d17e805d332b43df01153884c040524cc150f4b
SHA256

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b
SHA512

364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e
SSDEEP

24576:N9US2Qh9vbixa8FAPOZEl2dQE98Kt7fgZizgXVWA1CiFoe9+Qoi8M3wfCI9GfkW2:N9LPOIK5ui8pciKi+QoW3wD9aFuH

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\", \"C:\\Windows\\addins\\dwm.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\", \"C:\\Windows\\addins\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\", \"C:\\Windows\\addins\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\", \"C:\\Windows\\addins\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Downloads\\spoolsv.exe\", \"C:\\Windows\\addins\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\d9c22b4eaa3c0b9c12c7\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	220	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
3972	powershell.exe
4780	powershell.exe
4696	powershell.exe
3312	powershell.exe
2236	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Executes dropped EXE 11 IoCs

pid	Process
1884	spoolsv.exe
2124	spoolsv.exe
3012	dwm.exe
4520	dwm.exe
2040	backgroundTaskHost.exe
3744	backgroundTaskHost.exe
4556	sppsvc.exe
1128	sppsvc.exe
2444	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
1040	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5476	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\addins\\dwm.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\addins\\dwm.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\d9c22b4eaa3c0b9c12c7\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\d9c22b4eaa3c0b9c12c7\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Downloads\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Public\\Downloads\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC75898C9137D84835BC4BE645AB8E6EFB.TMP	csc.exe
File created	\??\c:\Windows\System32\3jy4ms.exe	csc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sppsvc.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Windows\Fonts\0a1fd5f707cd16	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Windows\addins\dwm.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Windows\addins\6cb0b6c459d5d3	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5664	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5664	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3708	schtasks.exe
4128	schtasks.exe
3960	schtasks.exe
3016	schtasks.exe
448	schtasks.exe
4700	schtasks.exe
3212	schtasks.exe
3464	schtasks.exe
676	schtasks.exe
408	schtasks.exe
4908	schtasks.exe
4132	schtasks.exe
4244	schtasks.exe
1756	schtasks.exe
2572	schtasks.exe
4804	schtasks.exe
1880	schtasks.exe
392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	1884	spoolsv.exe
Token: SeDebugPrivilege	2124	spoolsv.exe
Token: SeDebugPrivilege	3012	dwm.exe
Token: SeDebugPrivilege	4520	dwm.exe
Token: SeDebugPrivilege	2040	backgroundTaskHost.exe
Token: SeDebugPrivilege	3744	backgroundTaskHost.exe
Token: SeDebugPrivilege	4556	sppsvc.exe
Token: SeDebugPrivilege	1128	sppsvc.exe
Token: SeDebugPrivilege	1040	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	2444	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	5328	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	5536	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	5476	spoolsv.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4300	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	92
PID 3228 wrote to memory of 4300	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	92
PID 4300 wrote to memory of 2444	4300	csc.exe	141
PID 4300 wrote to memory of 2444	4300	csc.exe	141
PID 4912 wrote to memory of 1884	4912	cmd.exe	102
PID 4912 wrote to memory of 1884	4912	cmd.exe	102
PID 388 wrote to memory of 2124	388	cmd.exe	109
PID 388 wrote to memory of 2124	388	cmd.exe	109
PID 4320 wrote to memory of 3012	4320	cmd.exe	111
PID 4320 wrote to memory of 3012	4320	cmd.exe	111
PID 3348 wrote to memory of 4520	3348	cmd.exe	112
PID 3348 wrote to memory of 4520	3348	cmd.exe	112
PID 1388 wrote to memory of 2040	1388	cmd.exe	121
PID 1388 wrote to memory of 2040	1388	cmd.exe	121
PID 2380 wrote to memory of 3744	2380	cmd.exe	123
PID 2380 wrote to memory of 3744	2380	cmd.exe	123
PID 4928 wrote to memory of 4556	4928	cmd.exe	131
PID 4928 wrote to memory of 4556	4928	cmd.exe	131
PID 4880 wrote to memory of 1128	4880	cmd.exe	132
PID 4880 wrote to memory of 1128	4880	cmd.exe	132
PID 3236 wrote to memory of 1040	3236	cmd.exe	140
PID 3236 wrote to memory of 1040	3236	cmd.exe	140
PID 3612 wrote to memory of 2444	3612	cmd.exe	141
PID 3612 wrote to memory of 2444	3612	cmd.exe	141
PID 3228 wrote to memory of 2236	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	144
PID 3228 wrote to memory of 2236	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	144
PID 3228 wrote to memory of 3312	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	145
PID 3228 wrote to memory of 3312	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	145
PID 3228 wrote to memory of 4696	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	146
PID 3228 wrote to memory of 4696	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	146
PID 3228 wrote to memory of 4780	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	147
PID 3228 wrote to memory of 4780	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	147
PID 3228 wrote to memory of 3972	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	148
PID 3228 wrote to memory of 3972	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	148
PID 3228 wrote to memory of 2684	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	149
PID 3228 wrote to memory of 2684	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	149
PID 3228 wrote to memory of 2720	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	159
PID 3228 wrote to memory of 2720	3228	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	159
PID 380 wrote to memory of 5328	380	cmd.exe	162
PID 380 wrote to memory of 5328	380	cmd.exe	162
PID 2720 wrote to memory of 5516	2720	cmd.exe	163
PID 2720 wrote to memory of 5516	2720	cmd.exe	163
PID 2988 wrote to memory of 5536	2988	cmd.exe	164
PID 2988 wrote to memory of 5536	2988	cmd.exe	164
PID 2720 wrote to memory of 5664	2720	cmd.exe	165
PID 2720 wrote to memory of 5664	2720	cmd.exe	165
PID 2720 wrote to memory of 5476	2720	cmd.exe	169
PID 2720 wrote to memory of 5476	2720	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0erh3njv\0erh3njv.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC15.tmp" "c:\Windows\System32\CSC75898C9137D84835BC4BE645AB8E6EFB.TMP"
    3⤵
    PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w7mKVzsjYH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5516
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5664
- - C:\Users\Public\Downloads\spoolsv.exe
    "C:\Users\Public\Downloads\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Public\Downloads\spoolsv.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Public\Downloads\spoolsv.exe
  C:\Users\Public\Downloads\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Public\Downloads\spoolsv.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Public\Downloads\spoolsv.exe
  C:\Users\Public\Downloads\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\addins\dwm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\addins\dwm.exe
  C:\Windows\addins\dwm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\addins\dwm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\addins\dwm.exe
  C:\Windows\addins\dwm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Recovery\WindowsRE\backgroundTaskHost.exe
  C:\Recovery\WindowsRE\backgroundTaskHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Recovery\WindowsRE\backgroundTaskHost.exe
  C:\Recovery\WindowsRE\backgroundTaskHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Fonts\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\Fonts\sppsvc.exe
  C:\Windows\Fonts\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Fonts\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\Fonts\sppsvc.exe
  C:\Windows\Fonts\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3236
- C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\d9c22b4eaa3c0b9c12c7\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc1d0291bbd8e80c9703fb1f4b4d14dc

SHA1
084009b8f1e67e03c9b7333293fbc00d3617948e

SHA256
4a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a

SHA512
75672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
084d49c16a0db5a169356315e8e97d83

SHA1
af662c8666ef7c52c9711c0f143e0b8620f27d19

SHA256
a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2

SHA512
c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c7942d5130e519e28d6051f8513f7c4

SHA1
e768daf9cbd6a718a8a60c08c893ce1797cd86fb

SHA256
83042c329ad8e497403069fdb4718252bd97c127d4e04fae1977349d767c90a1

SHA512
c7456ee68bea337227d9ac5f20acdcce72abad524cc771f8d9e49e8ca8811a093d1972d88da72c612a865de9417c6dec258148ff94e739a50097b62415566bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC15.tmp

Filesize
1KB

MD5
6d5bdee49b36edec5dbd53bb9222908b

SHA1
60b5d52558910e8cebddf54625efe0973170a57f

SHA256
a0bea641cc9e4904c4da84eea5152ccd1c3493a0354a2ee310e280a68637c629

SHA512
2ceeaa2f6d66afa45af565f62a2b1042b0a688ad879239c1be89defbc59ad005cf565ebf9fbb066e043b2da6be73b24efb0e39ab2840b1e7185aba2546eab8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckkyufwi.vtw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\w7mKVzsjYH.bat

Filesize
165B

MD5
1997fc1248bf9d45e98767fb4a16d4ce

SHA1
0d6105469d1ce22d1cc26f90b63cae48f299f2ec

SHA256
9febb39407a186db4354bdb479f28d1286656c7ee162e56e388e1d91293a4e2f

SHA512
4979b164b43bb69c30b29aa72586c78069e2350245c41dad822190117dde8ba9875db084c27c4c9269143860f30d859c8b2f41ac2cb1da9c42ec9adf3122154c

Download Submit
C:\Users\Public\Downloads\spoolsv.exe

Filesize
1.8MB

MD5
7aeff3c38c61da155b557c651866241d

SHA1
5d17e805d332b43df01153884c040524cc150f4b

SHA256
a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

SHA512
364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0erh3njv\0erh3njv.0.cs

Filesize
369B

MD5
38b09a7bfad0b85d98054774a97f376f

SHA1
797ac510ea251a372319e3e5a0d0169a7a807033

SHA256
693d654c84f25430019780bc802a63d1cb84ec924a6bec135de6177fcf1399c9

SHA512
acb33e05926112a0f5b718d2ba05eed9e36b426f7b910bd6048fb5ac7a22c3710872ee368c61290ea08a16c00549781b15072e88b5278fb57422be7525239a79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0erh3njv\0erh3njv.cmdline

Filesize
235B

MD5
f6d29fc06f72118c6f9010048c2824cf

SHA1
742775d67a631f5811f4ad40989df8d42ca71b68

SHA256
08b34c9044b4756fb89105a2512f9a4c140bc6b670573bd560f10cf4154b0567

SHA512
3457b1baae781c426bf3c7f09b5e8868b0368accce6ce1c0acaf192555d91dbb92b6a487468838e9c5f12db2510358ccdeadcdffb3f1bd680724748940ee6021

Download Submit
\??\c:\Windows\System32\CSC75898C9137D84835BC4BE645AB8E6EFB.TMP

Filesize
1KB

MD5
cd2efcd6c0b3d3d6c3d5281c5c799cf5

SHA1
55c2ac600949d1e084361235650020372fe2dd54

SHA256
c01e7aca172406a5d6b91a25eb008e23b8664ea7e6f78babe38deb6c92f65d4d

SHA512
31c683f66a01fc3fcb4a3159bbbd63ca8122bf505d6fac6f838ed9910c77644d4ef5964cf35987fdc31692d18082ba03eac22d1d10dc572de394471d71d11961

Download Submit
memory/3228-6-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-13-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/3228-0-0x00007FFF7E163000-0x00007FFF7E165000-memory.dmp

Filesize
8KB

Download
memory/3228-1-0x0000000000670000-0x000000000084A000-memory.dmp

Filesize
1.9MB

Download
memory/3228-28-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-14-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-59-0x00007FFF7E163000-0x00007FFF7E165000-memory.dmp

Filesize
8KB

Download
memory/3228-60-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-29-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-71-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-26-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-11-0x000000001B7B0000-0x000000001B7C8000-memory.dmp

Filesize
96KB

Download
memory/3228-9-0x000000001B800000-0x000000001B850000-memory.dmp

Filesize
320KB

Download
memory/3228-8-0x000000001B470000-0x000000001B48C000-memory.dmp

Filesize
112KB

Download
memory/3228-22-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-5-0x00000000028C0000-0x00000000028CE000-memory.dmp

Filesize
56KB

Download
memory/3228-3-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3228-2-0x00007FFF7E160000-0x00007FFF7EC21000-memory.dmp

Filesize
10.8MB

Download
memory/3312-77-0x000002E0F8AD0000-0x000002E0F8AF2000-memory.dmp

Filesize
136KB

Download