dcrat | 93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Size

1.2MB
MD5

253044d5ee570421130d5d18f2bc72fe
SHA1

2370fd8fed97ce646833df4eaa5014b376afba82
SHA256

93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a
SHA512

97f3b6588285fdbe171541f1b9549186624bf6b21a2bea91bda1689c02d983d14743c6b77dfe0688871bccbaa9269353770b60db427bfac1f316c06d70909616
SSDEEP

24576:Y9rma+UPCofPzH5GB2FeAgcichxYqo2B9ljwN:Y1maHTNgcijqo2vlk

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Default\\audiodg.exe\", \"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\", \"C:\\Windows\\Media\\Sonata\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2640	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2640	schtasks.exe	28

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2580-1-0x00000000009F0000-0x0000000000B26000-memory.dmp	dcrat
behavioral1/files/0x0006000000016581-14.dat	dcrat
behavioral1/memory/492-40-0x0000000001390000-0x00000000014C6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
492	wininit.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Media\\Sonata\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\csrss.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Journal\\es-ES\\explorer.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\dllhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Media\\Sonata\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Media Player\\Skins\\taskhost.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\audiodg.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\System.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\wininit.exe\""	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\5940a34987c991	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Media Player\Skins\taskhost.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Journal\es-ES\explorer.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\56085415360792	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Journal\es-ES\7a0fd90576e088	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Program Files\Windows Media Player\Skins\b75386f1303e64	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\Sonata\wininit.exe	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
File created	C:\Windows\Media\Sonata\56085415360792	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe
2560	schtasks.exe
1748	schtasks.exe
2244	schtasks.exe
2628	schtasks.exe
2612	schtasks.exe
2768	schtasks.exe
1148	schtasks.exe
2664	schtasks.exe
2328	schtasks.exe
2016	schtasks.exe
1616	schtasks.exe
2688	schtasks.exe
1280	schtasks.exe
864	schtasks.exe
2596	schtasks.exe
1092	schtasks.exe
2700	schtasks.exe
2496	schtasks.exe
2828	schtasks.exe
1992	schtasks.exe
704	schtasks.exe
1096	schtasks.exe
2760	schtasks.exe
1668	schtasks.exe
2056	schtasks.exe
1144	schtasks.exe
380	schtasks.exe
2868	schtasks.exe
1764	schtasks.exe
2484	schtasks.exe
1428	schtasks.exe
2736	schtasks.exe
2752	schtasks.exe
1736	schtasks.exe
2476	schtasks.exe
332	schtasks.exe
1968	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
492	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
Token: SeDebugPrivilege	492	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1760	2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe	68
PID 2580 wrote to memory of 1760	2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe	68
PID 2580 wrote to memory of 1760	2580	93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe	68
PID 1760 wrote to memory of 1704	1760	cmd.exe	70
PID 1760 wrote to memory of 1704	1760	cmd.exe	70
PID 1760 wrote to memory of 1704	1760	cmd.exe	70
PID 1760 wrote to memory of 492	1760	cmd.exe	71
PID 1760 wrote to memory of 492	1760	cmd.exe	71
PID 1760 wrote to memory of 492	1760	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe
"C:\Users\Admin\AppData\Local\Temp\93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fD3bDu9fp7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1704
- - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe
    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Sonata\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Sonata\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fD3bDu9fp7.bat

Filesize
230B

MD5
4784d1efa04a1890bc42535b130085e0

SHA1
697535e0a7bbc563712a89dd1162f4ad5ee3b114

SHA256
e6408fb7a6877c6e629986776b4bc613f493e8a0ea7d7ef4c98a1b68fa9ac096

SHA512
25a9233c03a199dfa255deccdef439e86351836bd247cd4e3bb856bfa2fb7d95281f711d03791e9f7b384008fa4bb191f2ce871e924df637ce41ac942424b9ea

Download Submit
C:\Windows\Media\Sonata\wininit.exe

Filesize
1.2MB

MD5
253044d5ee570421130d5d18f2bc72fe

SHA1
2370fd8fed97ce646833df4eaa5014b376afba82

SHA256
93cfc408a8782dc6de630c692a565663de8ccca3e700da282e05c3d03c91f14a

SHA512
97f3b6588285fdbe171541f1b9549186624bf6b21a2bea91bda1689c02d983d14743c6b77dfe0688871bccbaa9269353770b60db427bfac1f316c06d70909616

Download Submit
memory/492-40-0x0000000001390000-0x00000000014C6000-memory.dmp

Filesize
1.2MB

Download
memory/2580-0-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x00000000009F0000-0x0000000000B26000-memory.dmp

Filesize
1.2MB

Download
memory/2580-2-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2580-4-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2580-5-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2580-37-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download