dcrat | 5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8C6166BFE177A90E76CEA637C0314647.exe
Size

1.8MB
MD5

8c6166bfe177a90e76cea637c0314647
SHA1

50cc236eddfdb6a1395475cd02756aa6a6a47ccc
SHA256

5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb
SHA512

e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc
SSDEEP

24576:GjlZB5j1w/GT8jQDv6fDEjvVbCOMn08Fv6vnzpzcTRHU+ZLZej32x2FQ4paPHzIc:St5jdxDy7EjvVbWXsvwZlCt6MaP

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\", \"C:\\Users\\Default User\\wininit.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\Branding\\Idle.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\Branding\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Windows\\Branding\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2276	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2276	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2972	OSPPSVC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Branding\\Idle.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8C6166BFE177A90E76CEA637C0314647 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Adobe\\Acrobat\\9.0\\audiodg.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\OSPPSVC.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Branding\\Idle.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\winlogon.exe\""	8C6166BFE177A90E76CEA637C0314647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\8C6166BFE177A90E76CEA637C0314647 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8C6166BFE177A90E76CEA637C0314647.exe\""	8C6166BFE177A90E76CEA637C0314647.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCEF9427DB66047B6A5AC345B495DBBC.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\1610b97d3ab4a7	8C6166BFE177A90E76CEA637C0314647.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Idle.exe	8C6166BFE177A90E76CEA637C0314647.exe
File created	C:\Windows\Branding\6ccacd8608530f	8C6166BFE177A90E76CEA637C0314647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2588	schtasks.exe
1348	schtasks.exe
1632	schtasks.exe
2272	schtasks.exe
1284	schtasks.exe
2756	schtasks.exe
2808	schtasks.exe
2976	schtasks.exe
1972	schtasks.exe
692	schtasks.exe
1076	schtasks.exe
2704	schtasks.exe
2436	schtasks.exe
484	schtasks.exe
2040	schtasks.exe
2672	schtasks.exe
2624	schtasks.exe
1160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2504	8C6166BFE177A90E76CEA637C0314647.exe
2972	OSPPSVC.exe
2972	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	8C6166BFE177A90E76CEA637C0314647.exe
Token: SeDebugPrivilege	2972	OSPPSVC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2700	2504	8C6166BFE177A90E76CEA637C0314647.exe	34
PID 2504 wrote to memory of 2700	2504	8C6166BFE177A90E76CEA637C0314647.exe	34
PID 2504 wrote to memory of 2700	2504	8C6166BFE177A90E76CEA637C0314647.exe	34
PID 2700 wrote to memory of 2148	2700	csc.exe	36
PID 2700 wrote to memory of 2148	2700	csc.exe	36
PID 2700 wrote to memory of 2148	2700	csc.exe	36
PID 2504 wrote to memory of 2880	2504	8C6166BFE177A90E76CEA637C0314647.exe	52
PID 2504 wrote to memory of 2880	2504	8C6166BFE177A90E76CEA637C0314647.exe	52
PID 2504 wrote to memory of 2880	2504	8C6166BFE177A90E76CEA637C0314647.exe	52
PID 2880 wrote to memory of 1480	2880	cmd.exe	54
PID 2880 wrote to memory of 1480	2880	cmd.exe	54
PID 2880 wrote to memory of 1480	2880	cmd.exe	54
PID 2880 wrote to memory of 2164	2880	cmd.exe	55
PID 2880 wrote to memory of 2164	2880	cmd.exe	55
PID 2880 wrote to memory of 2164	2880	cmd.exe	55
PID 2880 wrote to memory of 2972	2880	cmd.exe	56
PID 2880 wrote to memory of 2972	2880	cmd.exe	56
PID 2880 wrote to memory of 2972	2880	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe
"C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzq03udc\xzq03udc.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFDF.tmp" "c:\Windows\System32\CSCEF9427DB66047B6A5AC345B495DBBC.TMP"
    3⤵
    PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sy4nvinVGi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1480
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2164
- - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe
    "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Branding\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C03146478" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C0314647" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8C6166BFE177A90E76CEA637C03146478" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\8C6166BFE177A90E76CEA637C0314647.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\audiodg.exe

Filesize
1.8MB

MD5
8c6166bfe177a90e76cea637c0314647

SHA1
50cc236eddfdb6a1395475cd02756aa6a6a47ccc

SHA256
5446f78732cacbc23fbb1ec9fe92e1bfeb23e8b62607a6e252ecf6a976db02fb

SHA512
e9e149df32570a8ee7ce8167ff19746362642b562bb11898117367bf4516626958612ecb04b7a13705306d6ef370dc4642066f0c8a39f99783060dbbdfbd91cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAFDF.tmp

Filesize
1KB

MD5
393522421d8e2fa340a718c5cc7b643f

SHA1
3d8e0b11dd0550cef6360ebf15d5f89b05e33f47

SHA256
37a95dd50a255e7e5cd4a873c4303e7b2e28bced3da7b54c3de4bdd6b46db795

SHA512
ecf7e3bc74147d4002275f854015b3f89d5df8fb7b05f246f4e5c7c976f7f2ff84d8eac2f1260b31c1dd1e6c424afa26efdd03b30d6bb43041da43f39803cc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sy4nvinVGi.bat

Filesize
258B

MD5
eae09394a8ec3ea4c8150d116f07e298

SHA1
7d1e51c17f3dd5f9d94e9554ed8bfaf24f835003

SHA256
6c67a681fe2c7aecc1b4fdb54407c4af055c98f51f3da91550acf358b7162dac

SHA512
2ee79131279f888362daabb1e34f7e4d468182568bcd59d3685376b1a53fc63abeeabb81123c3dd4e4c08cf1222a1e0d0b5914bc6fd21af04a00b3f48fc518f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzq03udc\xzq03udc.0.cs

Filesize
380B

MD5
d357c1b7b46e28da07c508704ae49c82

SHA1
faa30b4857700f4daf233e0d72dec4a0083dff2c

SHA256
92fc78a146f3aaa732aa01e8d6cc4e7fc9cdfb057cceeaa5f261e19a56d480de

SHA512
9cb0857a5ff488d0037cb9b850972da5b4e3d70f35c5d0a887e769e00a028603877760c513aba0d8a0ae0951a7ccd7ff7a9b743688d72e2405683ecc2f60ad2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzq03udc\xzq03udc.cmdline

Filesize
235B

MD5
79e2d1d7591e8c2bfbd54233b8b1862d

SHA1
e8b3d6cde4cee57670994df8f0af4c8a205ed62e

SHA256
022798cfa84bb52c055406e064785ba5d2b426c7642be0fa535b0d3d2fc3de12

SHA512
14b7588a3f0e1fb377898401ba6633e4cf70acd91291f3defc235c00d8cbdafa744e871742b5e5c79d8245c1d4a2cef5060e2b74b63218e75485c6dd0042b006

Download Submit
\??\c:\Windows\System32\CSCEF9427DB66047B6A5AC345B495DBBC.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/2504-6-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2504-18-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-9-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2504-16-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-15-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-14-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2504-12-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/2504-10-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-7-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2504-4-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-3-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-2-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-1-0x0000000000F30000-0x000000000110A000-memory.dmp

Filesize
1.9MB

Download
memory/2504-46-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-49-0x0000000000EA0000-0x000000000107A000-memory.dmp

Filesize
1.9MB

Download