dcrat | 94b238a6c0c1757059b32035d7f7908b93a03c95cbcfb5c410380093a4ae3e00

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oSWI7.exe
Size

2.1MB
MD5

cf7aa78e605479dd9c2e96121c1cc49f
SHA1

a3603488a0d88fc26c21ffa25a044e45da2dbcb0
SHA256

94b238a6c0c1757059b32035d7f7908b93a03c95cbcfb5c410380093a4ae3e00
SHA512

a496755c88b69c318c55be96dff19a2d0aea561a87ee422ba0f11f68844323982876f7421503651c88671ee96ebf76df247e887bc5e85850883601ed23e96729
SSDEEP

49152:j3B3BNkmneOg9/liOjsCpfAwq1jwaCJtn:TFBNkB9NiOjsC5A91jw5

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 35 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1616	schtasks.exe
		1724	schtasks.exe
		2404	schtasks.exe
		2508	schtasks.exe
		636	schtasks.exe
		2936	schtasks.exe
		2204	schtasks.exe
		2020	schtasks.exe
		2552	schtasks.exe
		2656	schtasks.exe
		2820	schtasks.exe
		3000	schtasks.exe
		1244	schtasks.exe
		1624	schtasks.exe
		1912	schtasks.exe
		1048	schtasks.exe
		2888	schtasks.exe
		2748	schtasks.exe
		1704	schtasks.exe
		1708	schtasks.exe
		2592	schtasks.exe
		2840	schtasks.exe
		1700	schtasks.exe
		1936	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b		oSWI7.exe
		2756	schtasks.exe
		2580	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe		oSWI7.exe
		2616	schtasks.exe
		1720	schtasks.exe
		2380	schtasks.exe
		2900	schtasks.exe
		3060	schtasks.exe
		1460	schtasks.exe
		368	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\audiodg.exe\", \"C:\\Users\\Admin\\Start Menu\\services.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\", \"C:\\Users\\Admin\\Downloads\\dllhost.exe\", \"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\audiodg.exe\", \"C:\\Users\\Admin\\Start Menu\\services.exe\""	oSWI7.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2132	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2132	schtasks.exe	28

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1180-0-0x00000000008C0000-0x0000000000AD6000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d27-33.dat	dcrat
behavioral1/files/0x0007000000016d51-97.dat	dcrat
behavioral1/files/0x000a000000016d51-123.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2352	audiodg.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows Portable Devices\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\Idle.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Downloads\\dllhost.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Start Menu\\services.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\csrss.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\7156ad82-9b8d-11ee-a45c-bce704e297ea\\dwm.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\audiodg.exe\""	oSWI7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Start Menu\\services.exe\""	oSWI7.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe	oSWI7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9BA4.tmp	oSWI7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9DC7.tmp	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXB1EC.tmp	oSWI7.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	oSWI7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\audiodg.exe	oSWI7.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe	oSWI7.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\886983d96e3d3e	oSWI7.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\42af1c969fbb7b	oSWI7.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	oSWI7.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e	oSWI7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\spoolsv.exe	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\RCXA402.tmp	oSWI7.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	oSWI7.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	oSWI7.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXAD0A.tmp	oSWI7.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	oSWI7.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e	oSWI7.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXAAE7.tmp	oSWI7.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	oSWI7.exe
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	oSWI7.exe

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1912	schtasks.exe
1460	schtasks.exe
2748	schtasks.exe
2936	schtasks.exe
2616	schtasks.exe
1720	schtasks.exe
1936	schtasks.exe
2756	schtasks.exe
2840	schtasks.exe
3060	schtasks.exe
2204	schtasks.exe
2656	schtasks.exe
2820	schtasks.exe
1700	schtasks.exe
1704	schtasks.exe
2592	schtasks.exe
3000	schtasks.exe
2508	schtasks.exe
2020	schtasks.exe
2580	schtasks.exe
1616	schtasks.exe
1048	schtasks.exe
1624	schtasks.exe
2404	schtasks.exe
368	schtasks.exe
1708	schtasks.exe
1244	schtasks.exe
2380	schtasks.exe
2888	schtasks.exe
2552	schtasks.exe
1724	schtasks.exe
2900	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
1180	oSWI7.exe
2416	powershell.exe
2260	powershell.exe
872	powershell.exe
1016	powershell.exe
3044	powershell.exe
2232	powershell.exe
1604	powershell.exe
2104	powershell.exe
2480	powershell.exe
2044	powershell.exe
1656	powershell.exe
2848	powershell.exe
2352	audiodg.exe
2352	audiodg.exe
2352	audiodg.exe
2352	audiodg.exe
2352	audiodg.exe
2352	audiodg.exe
2352	audiodg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	oSWI7.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2352	audiodg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2232	1180	oSWI7.exe	62
PID 1180 wrote to memory of 2232	1180	oSWI7.exe	62
PID 1180 wrote to memory of 2232	1180	oSWI7.exe	62
PID 1180 wrote to memory of 2260	1180	oSWI7.exe	63
PID 1180 wrote to memory of 2260	1180	oSWI7.exe	63
PID 1180 wrote to memory of 2260	1180	oSWI7.exe	63
PID 1180 wrote to memory of 1016	1180	oSWI7.exe	64
PID 1180 wrote to memory of 1016	1180	oSWI7.exe	64
PID 1180 wrote to memory of 1016	1180	oSWI7.exe	64
PID 1180 wrote to memory of 3044	1180	oSWI7.exe	72
PID 1180 wrote to memory of 3044	1180	oSWI7.exe	72
PID 1180 wrote to memory of 3044	1180	oSWI7.exe	72
PID 1180 wrote to memory of 2416	1180	oSWI7.exe	71
PID 1180 wrote to memory of 2416	1180	oSWI7.exe	71
PID 1180 wrote to memory of 2416	1180	oSWI7.exe	71
PID 1180 wrote to memory of 2104	1180	oSWI7.exe	69
PID 1180 wrote to memory of 2104	1180	oSWI7.exe	69
PID 1180 wrote to memory of 2104	1180	oSWI7.exe	69
PID 1180 wrote to memory of 1604	1180	oSWI7.exe	67
PID 1180 wrote to memory of 1604	1180	oSWI7.exe	67
PID 1180 wrote to memory of 1604	1180	oSWI7.exe	67
PID 1180 wrote to memory of 2480	1180	oSWI7.exe	65
PID 1180 wrote to memory of 2480	1180	oSWI7.exe	65
PID 1180 wrote to memory of 2480	1180	oSWI7.exe	65
PID 1180 wrote to memory of 2848	1180	oSWI7.exe	70
PID 1180 wrote to memory of 2848	1180	oSWI7.exe	70
PID 1180 wrote to memory of 2848	1180	oSWI7.exe	70
PID 1180 wrote to memory of 872	1180	oSWI7.exe	73
PID 1180 wrote to memory of 872	1180	oSWI7.exe	73
PID 1180 wrote to memory of 872	1180	oSWI7.exe	73
PID 1180 wrote to memory of 1656	1180	oSWI7.exe	74
PID 1180 wrote to memory of 1656	1180	oSWI7.exe	74
PID 1180 wrote to memory of 1656	1180	oSWI7.exe	74
PID 1180 wrote to memory of 2044	1180	oSWI7.exe	82
PID 1180 wrote to memory of 2044	1180	oSWI7.exe	82
PID 1180 wrote to memory of 2044	1180	oSWI7.exe	82
PID 1180 wrote to memory of 2700	1180	oSWI7.exe	86
PID 1180 wrote to memory of 2700	1180	oSWI7.exe	86
PID 1180 wrote to memory of 2700	1180	oSWI7.exe	86
PID 2700 wrote to memory of 604	2700	cmd.exe	88
PID 2700 wrote to memory of 604	2700	cmd.exe	88
PID 2700 wrote to memory of 604	2700	cmd.exe	88
PID 2700 wrote to memory of 2352	2700	cmd.exe	89
PID 2700 wrote to memory of 2352	2700	cmd.exe	89
PID 2700 wrote to memory of 2352	2700	cmd.exe	89
PID 2352 wrote to memory of 2200	2352	audiodg.exe	92
PID 2352 wrote to memory of 2200	2352	audiodg.exe	92
PID 2352 wrote to memory of 2200	2352	audiodg.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\oSWI7.exe
"C:\Users\Admin\AppData\Local\Temp\oSWI7.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\oSWI7.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oBbgPmrREG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:604
- - C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe
    "C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2352 -s 848
      4⤵
      PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\es-ES\csrss.exe

Filesize
2.1MB

MD5
cf7aa78e605479dd9c2e96121c1cc49f

SHA1
a3603488a0d88fc26c21ffa25a044e45da2dbcb0

SHA256
94b238a6c0c1757059b32035d7f7908b93a03c95cbcfb5c410380093a4ae3e00

SHA512
a496755c88b69c318c55be96dff19a2d0aea561a87ee422ba0f11f68844323982876f7421503651c88671ee96ebf76df247e887bc5e85850883601ed23e96729

Download Submit
C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\RCXA8B5.tmp

Filesize
2.1MB

MD5
2babad6340d5ed76938cb5a529821de9

SHA1
adcbbacb9205c126ebbf0e65b5d60c31555dbf56

SHA256
5593204f45adca2331ad67074967df184c7987ac49f3ca8ad201f0d0e0c29906

SHA512
13177792cd10b6bdd0245498cceaef31ffa405595ecf390e5fa1f04172442c0c6598603b7db985b3642c0f4646500eb4413b66b5d6d1c2234275358da50a2cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oBbgPmrREG.bat

Filesize
222B

MD5
7b2784d9d543db1308c9151803cb815e

SHA1
0f7c1ddedde85cdb583bd5c7f676b79257ff3e8e

SHA256
4c8ed15168eff31904fb5b9ce91074154641da78c49e69066070d97315351a21

SHA512
c7bead334a6bcf98f7f0a3d7ed68b407cc18d814bbcd99180a6f14288352e7531fd1a132552bcdad7af829a222ca88bf010a19bd9f5f00f6c58558b10ef0e799

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c2ba4884f1ae276385f9eb110b3fe8a

SHA1
55e0e98333c464062846e2c04a1ab11cb1548ffb

SHA256
3dffcfa6029fa0326b8f26a4e1bc3bda473897b026c4ea366372777bdd4a584b

SHA512
944750a9ce97f3530e78c16793fd1a0d36a81364d4483464b15c83f0242c882d7a07f0f21b3649b303f1591725700d63879d22093c61c5898b9d66f6674c5d12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\services.exe

Filesize
2.1MB

MD5
3575c6bd962447fd7b9a0b1a95d82c01

SHA1
190468b2e0d7aa0028afd2d3227c58f8f58a0d84

SHA256
88829e95b7d6dd4647a91fecbbb4a2605b12e24932c87354f573c15dfb75cd0f

SHA512
3e241e949875d2ef7e20a45df3afdd10f77701aa96a6a39f093495801bf49297804714b48b071e8f6f6e1d35ce0e0729122d27b04e2287dafe68e6ba8d833415

Download Submit
memory/872-182-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/872-186-0x00000000029AB000-0x0000000002A12000-memory.dmp

Filesize
412KB

Download
memory/872-177-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/1016-191-0x000000000245B000-0x00000000024C2000-memory.dmp

Filesize
412KB

Download
memory/1016-189-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1016-178-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/1180-117-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-116-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-13-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/1180-14-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/1180-15-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1180-16-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/1180-18-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-17-0x0000000002280000-0x000000000228E000-memory.dmp

Filesize
56KB

Download
memory/1180-19-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/1180-20-0x0000000002440000-0x000000000244E000-memory.dmp

Filesize
56KB

Download
memory/1180-21-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/1180-22-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/1180-23-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/1180-32-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-11-0x0000000002210000-0x0000000002222000-memory.dmp

Filesize
72KB

Download
memory/1180-37-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-64-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-79-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-87-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-10-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1180-101-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-2-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-0-0x00000000008C0000-0x0000000000AD6000-memory.dmp

Filesize
2.1MB

Download
memory/1180-9-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/1180-124-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-125-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1180-8-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/1180-151-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-7-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/1180-1-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-12-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/1180-6-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/1180-5-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/1180-3-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/1180-4-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/1604-197-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1604-196-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/1604-198-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-199-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2104-200-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2232-195-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2232-194-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2232-193-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-161-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2260-184-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2260-188-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/2260-180-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-192-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-187-0x0000000002ABB000-0x0000000002B22000-memory.dmp

Filesize
412KB

Download
memory/2416-179-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-183-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

Filesize
12KB

Download
memory/2480-201-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-202-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2480-203-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-185-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/3044-190-0x000000000292B000-0x0000000002992000-memory.dmp

Filesize
412KB

Download
memory/3044-181-0x000007FEEBFD0000-0x000007FEEC96D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-160-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download