dcrat | a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Size

1.8MB
MD5

7aeff3c38c61da155b557c651866241d
SHA1

5d17e805d332b43df01153884c040524cc150f4b
SHA256

a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b
SHA512

364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e
SSDEEP

24576:N9US2Qh9vbixa8FAPOZEl2dQE98Kt7fgZizgXVWA1CiFoe9+Qoi8M3wfCI9GfkW2:N9LPOIK5ui8pciKi+QoW3wD9aFuH

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\", \"C:\\34c553de294c1d56d0a800105b\\csrss.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\", \"C:\\34c553de294c1d56d0a800105b\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\", \"C:\\34c553de294c1d56d0a800105b\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\", \"C:\\Windows\\ShellExperiences\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\", \"C:\\34c553de294c1d56d0a800105b\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\", \"C:\\Windows\\ShellExperiences\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\", \"C:\\34c553de294c1d56d0a800105b\\csrss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\", \"C:\\Windows\\ShellExperiences\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4632	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4632	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6124	powershell.exe
1292	powershell.exe
388	powershell.exe
1480	powershell.exe
1124	powershell.exe
1072	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Executes dropped EXE 11 IoCs

pid	Process
3752	RuntimeBroker.exe
1852	RuntimeBroker.exe
2564	csrss.exe
1744	csrss.exe
5868	taskhostw.exe
2620	taskhostw.exe
5184	taskhostw.exe
4560	taskhostw.exe
5664	spoolsv.exe
5808	spoolsv.exe
5920	taskhostw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\34c553de294c1d56d0a800105b\\csrss.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\ShellExperiences\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\2f3e0199fccb3f72e8a39924edc6a781\\RuntimeBroker.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\34c553de294c1d56d0a800105b\\csrss.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\ShellExperiences\\taskhostw.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\lmmpbd.exe	csc.exe
File created	\??\c:\Windows\System32\CSC287F83477E664AA2B2AA4B6CC2D44D4.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC215D45335A747ACBE1250A0F9F7C64B.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\ea9f0e6c9e2dcd	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\ea9f0e6c9e2dcd	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
File created	C:\Windows\ShellExperiences\taskhostw.exe	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4880	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4820	schtasks.exe
4748	schtasks.exe
6036	schtasks.exe
3392	schtasks.exe
5016	schtasks.exe
5076	schtasks.exe
4148	schtasks.exe
5820	schtasks.exe
2408	schtasks.exe
2772	schtasks.exe
5388	schtasks.exe
1408	schtasks.exe
4472	schtasks.exe
4308	schtasks.exe
376	schtasks.exe
4552	schtasks.exe
3508	schtasks.exe
512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	1852	RuntimeBroker.exe
Token: SeDebugPrivilege	3752	RuntimeBroker.exe
Token: SeDebugPrivilege	2564	csrss.exe
Token: SeDebugPrivilege	1744	csrss.exe
Token: SeDebugPrivilege	2620	taskhostw.exe
Token: SeDebugPrivilege	5868	taskhostw.exe
Token: SeDebugPrivilege	4560	taskhostw.exe
Token: SeDebugPrivilege	5184	taskhostw.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	1096	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	4456	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
Token: SeDebugPrivilege	5664	spoolsv.exe
Token: SeDebugPrivilege	5808	spoolsv.exe
Token: SeDebugPrivilege	5920	taskhostw.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5996 wrote to memory of 2184	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	92
PID 5996 wrote to memory of 2184	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	92
PID 2184 wrote to memory of 4724	2184	csc.exe	94
PID 2184 wrote to memory of 4724	2184	csc.exe	94
PID 5996 wrote to memory of 4696	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	95
PID 5996 wrote to memory of 4696	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	95
PID 4696 wrote to memory of 5528	4696	csc.exe	97
PID 4696 wrote to memory of 5528	4696	csc.exe	97
PID 332 wrote to memory of 3752	332	cmd.exe	105
PID 332 wrote to memory of 3752	332	cmd.exe	105
PID 5136 wrote to memory of 1852	5136	cmd.exe	109
PID 5136 wrote to memory of 1852	5136	cmd.exe	109
PID 3408 wrote to memory of 2564	3408	cmd.exe	113
PID 3408 wrote to memory of 2564	3408	cmd.exe	113
PID 4572 wrote to memory of 1744	4572	cmd.exe	114
PID 4572 wrote to memory of 1744	4572	cmd.exe	114
PID 2292 wrote to memory of 5868	2292	cmd.exe	123
PID 2292 wrote to memory of 5868	2292	cmd.exe	123
PID 1416 wrote to memory of 2620	1416	cmd.exe	122
PID 1416 wrote to memory of 2620	1416	cmd.exe	122
PID 2312 wrote to memory of 4560	2312	cmd.exe	131
PID 2312 wrote to memory of 4560	2312	cmd.exe	131
PID 4320 wrote to memory of 5184	4320	cmd.exe	132
PID 4320 wrote to memory of 5184	4320	cmd.exe	132
PID 5996 wrote to memory of 6124	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	141
PID 5996 wrote to memory of 6124	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	141
PID 5996 wrote to memory of 1292	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	142
PID 5996 wrote to memory of 1292	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	142
PID 5996 wrote to memory of 1072	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	143
PID 5996 wrote to memory of 1072	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	143
PID 5996 wrote to memory of 1124	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	145
PID 5996 wrote to memory of 1124	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	145
PID 5996 wrote to memory of 1480	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	147
PID 5996 wrote to memory of 1480	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	147
PID 5996 wrote to memory of 388	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	148
PID 5996 wrote to memory of 388	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	148
PID 5996 wrote to memory of 1820	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	156
PID 5996 wrote to memory of 1820	5996	a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe	156
PID 1260 wrote to memory of 1096	1260	cmd.exe	159
PID 1260 wrote to memory of 1096	1260	cmd.exe	159
PID 536 wrote to memory of 4456	536	cmd.exe	160
PID 536 wrote to memory of 4456	536	cmd.exe	160
PID 1820 wrote to memory of 4552	1820	cmd.exe	161
PID 1820 wrote to memory of 4552	1820	cmd.exe	161
PID 1820 wrote to memory of 4880	1820	cmd.exe	162
PID 1820 wrote to memory of 4880	1820	cmd.exe	162
PID 3112 wrote to memory of 5664	3112	cmd.exe	163
PID 3112 wrote to memory of 5664	3112	cmd.exe	163
PID 2480 wrote to memory of 5808	2480	cmd.exe	164
PID 2480 wrote to memory of 5808	2480	cmd.exe	164
PID 1820 wrote to memory of 5920	1820	cmd.exe	176
PID 1820 wrote to memory of 5920	1820	cmd.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
"C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqkw5ukt\jqkw5ukt.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC215D45335A747ACBE1250A0F9F7C64B.TMP"
    3⤵
    PID:4724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hc0b4hyk\hc0b4hyk.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D18.tmp" "c:\Windows\System32\CSC287F83477E664AA2B2AA4B6CC2D44D4.TMP"
    3⤵
    PID:5528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rn2zzuqb3l.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4552
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4880
- - C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe
    "C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5136
- C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe
  C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe
  C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\34c553de294c1d56d0a800105b\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\34c553de294c1d56d0a800105b\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\34c553de294c1d56d0a800105b\csrss.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\34c553de294c1d56d0a800105b\csrss.exe
  C:\34c553de294c1d56d0a800105b\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\34c553de294c1d56d0a800105b\csrss.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\34c553de294c1d56d0a800105b\csrss.exe
  C:\34c553de294c1d56d0a800105b\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe
  "C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe
  "C:\Program Files (x86)\Internet Explorer\it-IT\taskhostw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\ShellExperiences\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\ShellExperiences\taskhostw.exe
  C:\Windows\ShellExperiences\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\ShellExperiences\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\ShellExperiences\taskhostw.exe
  C:\Windows\ShellExperiences\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\spoolsv.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Recovery\WindowsRE\spoolsv.exe
  C:\Recovery\WindowsRE\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\spoolsv.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Recovery\WindowsRE\spoolsv.exe
  C:\Recovery\WindowsRE\spoolsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8ba" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  C:\Users\Admin\AppData\Local\Temp\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\RuntimeBroker.exe

Filesize
1.8MB

MD5
7aeff3c38c61da155b557c651866241d

SHA1
5d17e805d332b43df01153884c040524cc150f4b

SHA256
a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b

SHA512
364ce21ba3427e0951f274b8ac7ba76e9e18877d3a49bd3de1ff24525d0f499f9c2ec2b0336a266852d308bfcb3e02c977c512b0b3917df3e497965fc3b9c72e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a447b03f131289f91c8fc4e22ab9b54d362e7771e7ce7518463ea6634cce5c8b.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c7942d5130e519e28d6051f8513f7c4

SHA1
e768daf9cbd6a718a8a60c08c893ce1797cd86fb

SHA256
83042c329ad8e497403069fdb4718252bd97c127d4e04fae1977349d767c90a1

SHA512
c7456ee68bea337227d9ac5f20acdcce72abad524cc771f8d9e49e8ca8811a093d1972d88da72c612a865de9417c6dec258148ff94e739a50097b62415566bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3930c254bc452c4fd482e3059b51aa04

SHA1
1c4bdb41f3a7c9d4ee3b8006cc1c495eedb072e2

SHA256
dc600748250d0dd0ffa2678049fd27ec8e56e262601f3d8a1fd7165b03f97fb8

SHA512
888565d3356b5fc9c5b55d6842c520487219bc2220df2a56cb74686cc36ebd0fbd1ab9f2a17f93e9c15031c8d6366031a4fd2c1f8a6f8cf96bc3a5939f31a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp

Filesize
1KB

MD5
1dc330cbe220bdf5f4f56243aa27f7ca

SHA1
78820f1df3ab4ff33fd8c04a1c8e0fdaffed56cb

SHA256
cd77350d2cf8416e7461b4100895ff84fd6f91f058353daa4c94ffcf67d69c9d

SHA512
14d0e2d7fb56e816403ffb34461b37add5d889953ba5a822b4dcaba0f4cb3d20a7a410815a7adc5f8d6d4090a9841e241bb0179b9093379c8ac32270b6b147c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D18.tmp

Filesize
1KB

MD5
10fab7021d2f143ce8701039b78ab024

SHA1
fd734c6a4704816a927eb1514cfb7ecfd1f01c2a

SHA256
e062846f695b551c62e9a6a449985990ae736539a1383727f694968efa4f891f

SHA512
c2d2bb8bb5d1dc599c70c7cc3bd98b29c4c136cccc9748c040c1bf01bb8c4c998b36c49ede895726f80709dfcfe7da7f5e5833c7748854feefe811ae95ce0fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsnlnt54.s1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rn2zzuqb3l.bat

Filesize
188B

MD5
fb28e9958b1c32898b26926274e1f676

SHA1
5f0c5fdcdf8c866f2adabf6515b91695b3931d0a

SHA256
2465839ed6cc55b8d31dcf02adddbb102e3856cd4f5fbdb18c988f52b99c2c9b

SHA512
dcd6694d103041aef227d36d317e2f0d0633f532100a4bbf3a20da4b90f9bc896b8bf9d930fea359bd2bab9f1573292ef9ab37a5a9d4c95d496cafc2ec0c6a93

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC215D45335A747ACBE1250A0F9F7C64B.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hc0b4hyk\hc0b4hyk.0.cs

Filesize
385B

MD5
09f353298bd0faaa76e36a3f76010c6b

SHA1
3221b0c5dc60f614c09d748feb63e2302fcfb026

SHA256
706d17d8aa07f0b2491fa7fc3421d95bc3458ed4c74e8e245b7e9c0cba64a524

SHA512
41fb59b92acd6af24e46d4b5b4212f2116023a09a9527707161deb85880bfc2199626f5de13724a637cefd6df779b027172d98ab09b327668231b6626813864a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hc0b4hyk\hc0b4hyk.cmdline

Filesize
235B

MD5
4bf6569a40ac003c961c248970110013

SHA1
933bf5de45bf9bdc357cc845c99df0115b3b0015

SHA256
79a984837add0fcd03332998c7c338c27d8fd643e3e7912a18ea68f04f7b334d

SHA512
3adf11f82c4a6c00a0003fa49f5a7d05fe18eeb1d75f4999c0f01df0982d250f61a45e2605949f14c8fc22c4b8e5d47409d26bfb4934859f8d3cf3c54923d78d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqkw5ukt\jqkw5ukt.0.cs

Filesize
415B

MD5
72db7acb3610e188f26c3d4bee710165

SHA1
1eb997466db6fee7f39fcdc683f6543779266bc0

SHA256
28e668c3b12c8f9f1a3729355e38c3599b524523678adad8d737d22649963cf2

SHA512
4f31698f0fb5054307d33ba314a02fb1d059fb6f4ac9e0de7fdc639a9b5383ef244be4ebdf5d15e437924f69430e32063694e43555dc4e6d2ec379c7dd8f3da7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqkw5ukt\jqkw5ukt.cmdline

Filesize
265B

MD5
3aea93889e48e2ce86314c989efc95a8

SHA1
3e90d25f98679737374ba3ccbcb24d73ae9b246f

SHA256
c4793af6a1e3bb29fb0649cb84a927eb8a80e8d8c406e681bac2c07f7c4da7c9

SHA512
103cb7a0cf4cecda02d5dce11847ecad9dac57a059028b8ff759bee600f84cda0f27fb116ceb4d3b24db773fc0a534d207fc0adef01b2f00c7eb8e8c44955ad1

Download Submit
\??\c:\Windows\System32\CSC287F83477E664AA2B2AA4B6CC2D44D4.TMP

Filesize
1KB

MD5
e38ec11fb3d1a8a13f062e1fac7d0f55

SHA1
e6f224075e6463295de812623e713360b363f219

SHA256
e4946cc4d808ae9955c50428d226f3d0665944420c39b7fefd98961095237a2f

SHA512
27efeb099f060c19014f1a2d05e4426b6ecc505eeada385d9094e5d6e749d426f2c6f3fdd5255654c1be832d7ca17566242a800e98b2b4ba484a6a5d1ce0e6e2

Download Submit
memory/1480-92-0x00000214D8E10000-0x00000214D8E32000-memory.dmp

Filesize
136KB

Download
memory/5920-168-0x000000001CA50000-0x000000001CAF9000-memory.dmp

Filesize
676KB

Download
memory/5996-15-0x0000000001650000-0x000000000165C000-memory.dmp

Filesize
48KB

Download
memory/5996-34-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-33-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-29-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-17-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-16-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-11-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-80-0x000000001C100000-0x000000001C1A9000-memory.dmp

Filesize
676KB

Download
memory/5996-81-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-13-0x0000000002F90000-0x0000000002FA8000-memory.dmp

Filesize
96KB

Download
memory/5996-0-0x00007FF9B2CE3000-0x00007FF9B2CE5000-memory.dmp

Filesize
8KB

Download
memory/5996-10-0x000000001BAC0000-0x000000001BB10000-memory.dmp

Filesize
320KB

Download
memory/5996-9-0x0000000002F70000-0x0000000002F8C000-memory.dmp

Filesize
112KB

Download
memory/5996-7-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-6-0x0000000001640000-0x000000000164E000-memory.dmp

Filesize
56KB

Download
memory/5996-4-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-3-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-2-0x00007FF9B2CE0000-0x00007FF9B37A1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-1-0x0000000000C40000-0x0000000000E1A000-memory.dmp

Filesize
1.9MB

Download