dcrat | 953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Size

1.9MB
MD5

fecafe9a80257e221c47577e704498f3
SHA1

79960aa863f445b93531afc55aad6215a2c1bb08
SHA256

953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3
SHA512

c48694e93a5b46bb9cb6ada78e8ad642d142be7b27249bb5e75521b14eb5805c9cd51fa7836d91c40840f2e7fbb46e4b8aeedb9eab688fc26020eba03f381141
SSDEEP

49152:RbYg0qXO9NNBZXRd6ewK8LrcOk+tWh08RT:hYg039NNBx3lGMh08R

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\smss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\smss.exe\", \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\", \"C:\\Users\\Default User\\audiodg.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\services.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Program Files\\7-Zip\\Lang\\services.exe\", \"C:\\Program Files\\7-Zip\\Lang\\smss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2728	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2728	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe
2208	powershell.exe
2088	powershell.exe
2252	powershell.exe
1676	powershell.exe
3064	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2408	audiodg.exe
2192	audiodg.exe
2652	audiodg.exe
1960	audiodg.exe
572	audiodg.exe
2508	audiodg.exe
2980	audiodg.exe
2832	audiodg.exe
264	audiodg.exe
3064	audiodg.exe
1732	audiodg.exe
1220	audiodg.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\7-Zip\\Lang\\services.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\7-Zip\\Lang\\services.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\DVD Maker\\Shared\\csrss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\7-Zip\\Lang\\smss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\7-Zip\\Lang\\smss.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\wininit.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe\""	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA9A4F89D5534605A7FBA353716D1E.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\smss.exe	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
File created	C:\Program Files\DVD Maker\Shared\csrss.exe	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
File created	C:\Program Files\DVD Maker\Shared\886983d96e3d3e	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2276	PING.EXE
2684	PING.EXE
1252	PING.EXE
3056	PING.EXE
2676	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2684	PING.EXE
1252	PING.EXE
3056	PING.EXE
2676	PING.EXE
2276	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
1892	schtasks.exe
2596	schtasks.exe
1920	schtasks.exe
2972	schtasks.exe
2184	schtasks.exe
2044	schtasks.exe
1932	schtasks.exe
2620	schtasks.exe
2552	schtasks.exe
2156	schtasks.exe
2528	schtasks.exe
1016	schtasks.exe
2916	schtasks.exe
2856	schtasks.exe
2624	schtasks.exe
1380	schtasks.exe
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2408	audiodg.exe
Token: SeDebugPrivilege	2192	audiodg.exe
Token: SeDebugPrivilege	2652	audiodg.exe
Token: SeDebugPrivilege	1960	audiodg.exe
Token: SeDebugPrivilege	572	audiodg.exe
Token: SeDebugPrivilege	2508	audiodg.exe
Token: SeDebugPrivilege	2980	audiodg.exe
Token: SeDebugPrivilege	2832	audiodg.exe
Token: SeDebugPrivilege	264	audiodg.exe
Token: SeDebugPrivilege	3064	audiodg.exe
Token: SeDebugPrivilege	1732	audiodg.exe
Token: SeDebugPrivilege	1220	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2980	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	34
PID 3040 wrote to memory of 2980	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	34
PID 3040 wrote to memory of 2980	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	34
PID 2980 wrote to memory of 1512	2980	csc.exe	36
PID 2980 wrote to memory of 1512	2980	csc.exe	36
PID 2980 wrote to memory of 1512	2980	csc.exe	36
PID 3040 wrote to memory of 1676	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	52
PID 3040 wrote to memory of 1676	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	52
PID 3040 wrote to memory of 1676	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	52
PID 3040 wrote to memory of 2252	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	53
PID 3040 wrote to memory of 2252	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	53
PID 3040 wrote to memory of 2252	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	53
PID 3040 wrote to memory of 3064	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	54
PID 3040 wrote to memory of 3064	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	54
PID 3040 wrote to memory of 3064	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	54
PID 3040 wrote to memory of 2088	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	55
PID 3040 wrote to memory of 2088	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	55
PID 3040 wrote to memory of 2088	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	55
PID 3040 wrote to memory of 2208	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	58
PID 3040 wrote to memory of 2208	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	58
PID 3040 wrote to memory of 2208	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	58
PID 3040 wrote to memory of 2516	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	59
PID 3040 wrote to memory of 2516	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	59
PID 3040 wrote to memory of 2516	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	59
PID 3040 wrote to memory of 2536	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	64
PID 3040 wrote to memory of 2536	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	64
PID 3040 wrote to memory of 2536	3040	953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe	64
PID 2536 wrote to memory of 2132	2536	cmd.exe	66
PID 2536 wrote to memory of 2132	2536	cmd.exe	66
PID 2536 wrote to memory of 2132	2536	cmd.exe	66
PID 2536 wrote to memory of 996	2536	cmd.exe	67
PID 2536 wrote to memory of 996	2536	cmd.exe	67
PID 2536 wrote to memory of 996	2536	cmd.exe	67
PID 2536 wrote to memory of 2408	2536	cmd.exe	68
PID 2536 wrote to memory of 2408	2536	cmd.exe	68
PID 2536 wrote to memory of 2408	2536	cmd.exe	68
PID 2408 wrote to memory of 2592	2408	audiodg.exe	69
PID 2408 wrote to memory of 2592	2408	audiodg.exe	69
PID 2408 wrote to memory of 2592	2408	audiodg.exe	69
PID 2592 wrote to memory of 2676	2592	cmd.exe	71
PID 2592 wrote to memory of 2676	2592	cmd.exe	71
PID 2592 wrote to memory of 2676	2592	cmd.exe	71
PID 2592 wrote to memory of 2276	2592	cmd.exe	72
PID 2592 wrote to memory of 2276	2592	cmd.exe	72
PID 2592 wrote to memory of 2276	2592	cmd.exe	72
PID 2592 wrote to memory of 2192	2592	cmd.exe	74
PID 2592 wrote to memory of 2192	2592	cmd.exe	74
PID 2592 wrote to memory of 2192	2592	cmd.exe	74
PID 2192 wrote to memory of 2892	2192	audiodg.exe	75
PID 2192 wrote to memory of 2892	2192	audiodg.exe	75
PID 2192 wrote to memory of 2892	2192	audiodg.exe	75
PID 2892 wrote to memory of 2820	2892	cmd.exe	77
PID 2892 wrote to memory of 2820	2892	cmd.exe	77
PID 2892 wrote to memory of 2820	2892	cmd.exe	77
PID 2892 wrote to memory of 1280	2892	cmd.exe	78
PID 2892 wrote to memory of 1280	2892	cmd.exe	78
PID 2892 wrote to memory of 1280	2892	cmd.exe	78
PID 2892 wrote to memory of 2652	2892	cmd.exe	79
PID 2892 wrote to memory of 2652	2892	cmd.exe	79
PID 2892 wrote to memory of 2652	2892	cmd.exe	79
PID 2652 wrote to memory of 1672	2652	audiodg.exe	80
PID 2652 wrote to memory of 1672	2652	audiodg.exe	80
PID 2652 wrote to memory of 1672	2652	audiodg.exe	80
PID 1672 wrote to memory of 764	1672	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe
"C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvonqxjn\dvonqxjn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E89.tmp" "c:\Windows\System32\CSCA9A4F89D5534605A7FBA353716D1E.TMP"
    3⤵
    PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P84ioaSK9f.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2132
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:996
- - C:\Users\Default User\audiodg.exe
    "C:\Users\Default User\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2676
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
    - - C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1280
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat"
        10⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1956
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TipjmLA2pW.bat"
        12⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oR202sdZsO.bat"
        14⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2828
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat"
        16⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2608
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y9fzlxD6eQ.bat"
        18⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2244
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat"
        20⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:480
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLOEqHw6cP.bat"
        22⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat"
        24⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
        
        C:\Users\Default User\audiodg.exe
        
        "C:\Users\Default User\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qFKlxXtZuP.bat"
        26⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e39" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e39" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\Shared\csrss.exe

Filesize
1.9MB

MD5
fecafe9a80257e221c47577e704498f3

SHA1
79960aa863f445b93531afc55aad6215a2c1bb08

SHA256
953d9c6534dd4dda5dc6c53755974e39947672ea521ddfb613a8c28a4f3c10e3

SHA512
c48694e93a5b46bb9cb6ada78e8ad642d142be7b27249bb5e75521b14eb5805c9cd51fa7836d91c40840f2e7fbb46e4b8aeedb9eab688fc26020eba03f381141

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat

Filesize
161B

MD5
837cf87322145bd929426c91558f434c

SHA1
42eaadf4fccff1e7e0883d044dc1cc3cf6958874

SHA256
57c217cc155b28680284275541bad1ac7d6c96b0489eebf20f03d3ecf5ed67db

SHA512
673a039d2982c92e90abf47be9f612a2daad90c163bc9f49f638a70b916d7770fbd2a825500e86a3d566f94921ddb2eb4af90648af0e169d350b7b43ecd8786c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat

Filesize
161B

MD5
cc7836345da0e2724459026abdb5d89a

SHA1
a2b918a7eb8c13638ba435e6cf5c1d1c7448711a

SHA256
14cce53f8ffb05932745f7c22651c3d271e9283db1fb1a257f9feaf0f948f3df

SHA512
427d877748cd4274d08b3ff05c36c3167a9f78a570529a2e9748bcfde17c7c35bce3eef8222625fddf10c084c6a4333715e47c6b4b4a7a5f608f0a69ab6c3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\P84ioaSK9f.bat

Filesize
209B

MD5
706a058a89ef4b4ea56326d0fa472bd0

SHA1
19a144ebda7ae449c4f090a6e83a6307a57fe4dc

SHA256
6c498261b1a44594cf31c866c3eb1387417a70081ba05c316eb7a5c3e2a82bad

SHA512
8aca2b86692b9fae66f115680327de2f7aad2113171e4748780c51ed46782287abb16c5a565e6c8e39ee0802f21b7a0f443b3aeed89217d3d113ac481c301e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E89.tmp

Filesize
1KB

MD5
1ad9d5cdc897dcbbe11dd8deef983f8d

SHA1
ab6ec1f059f971b3b87a9fb2834b108fb510cff4

SHA256
addf98f6a5a07fa66ac5a6e0863acc70942c2e41921133bb378fcf78380021d1

SHA512
47c449f2aa36e32a4057681d28d79d35a37c4db7d621259cdb3a54dd0d7a42b247e41cc6231b65ff1123c4343aa29c1608ef4b049cab95f34ba7e6f05b73abf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat

Filesize
209B

MD5
d8099f67155312ac5009125b69d1161c

SHA1
635a03ca3fcd47270caa474b86c8c3eb83aad331

SHA256
cc612da99c597a7cc367384929ff73cf8b6533c993faabf3fbdc6cac3d4d3245

SHA512
4295a2dc4feb2dd8259db1d673b045bfd3015a9aed4085c5c312d115330965bfdc5b67dfcacb94b9184389a5def531321fa1325078167c2022af6c8e37a49511

Download Submit
C:\Users\Admin\AppData\Local\Temp\TipjmLA2pW.bat

Filesize
161B

MD5
156417ed6571db76a180bad112f6ccc0

SHA1
818538534c2306f14c4b37d33f1dc52a96b6cb1a

SHA256
c48f47547e1d57b2ad84f09104f2f42eda0a5d74da3905932e1410afe9575b0d

SHA512
57904d93b2008247038319d8d1e14d552960616faf3ea39788a98c35bd434a94c3eb9eb57b517e63c3c87bba615b3d15d278f90b8080f546eb9051df68c62dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLOEqHw6cP.bat

Filesize
161B

MD5
644c4623b5bc72d0102bd0c863a07067

SHA1
37565895d70bf17d1573c9b08645277ba6348045

SHA256
9a8b1bda2fc9e6b709dcfd90301ada94ca1cc731856f982b8c6458f175da7002

SHA512
da5556cfd5a35d602870fbfe8beceac7ad23aa5e83329ae84888ac5a9f9644cbd1f98b49fcd39a8a1ea79cc20faa276d3681ee9e109f312b974d4b2b20f60d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y9fzlxD6eQ.bat

Filesize
209B

MD5
982c186bf197fd38fc99b9e8d1fe0f68

SHA1
bf154db279740bc428959db8753e076c76d46fa6

SHA256
035071af02368d01f750100546e72735e426eb330e5babf8acf8d92e6490f651

SHA512
2a2f996d4719d7d99962b0ed62ad207494db7500c0bc22b9248762120ee23051ac313d5ed78e1066ffdb5b339798607a6671eccb1e35faa75d2d438b93f6b776

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZmcI1uzTd.bat

Filesize
161B

MD5
33cf7bf38fe6d495bcccadf430cd63da

SHA1
dd8828dcfc3dd9d6917f0ab09e4928765d8b76b1

SHA256
33faa28e726369d1ff33e8cd977e1e7e99f03efd3dc4354b2bf7312afc5e271d

SHA512
d41397d29ba9888c178a878a16e49cf134e893370c382ea5398a084077262f247fababbe77e5c811746dd413e73ce719f256608d9c5c764e75784db846bef8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat

Filesize
209B

MD5
77849d6d4f796b29567f0762ab2d074f

SHA1
ccb04bb3ab3ca3618f41e5d675ecd82010d0a366

SHA256
a62857312717883cd658164b9647d60e2d2fabc5514043cfc2f09dbecb6b690c

SHA512
37d3a0fafe798d188502d4c6a965d0f8765ec0d81728afac707ac92562cb555c71905bbe4d03d36d7baee52057fd75c912599ae7f51b260c86aca84c9d484458

Download Submit
C:\Users\Admin\AppData\Local\Temp\oR202sdZsO.bat

Filesize
209B

MD5
ebe21fe9f65a292a04c4cd265d7fde65

SHA1
dc4f72be509fef94c3c6ed54d245e8def32dacca

SHA256
90bb3338ad5594c85c9798e46215a04f6c701900cf4fd14115bc8e969d4fcdb6

SHA512
46d671afaf7d455c06e078937ac6c87fdfa38d73b7c564a0c78ab0907f98a4a11675e67e0c27464731dd6ac0c3243a8429da326ba0186144a3f3fa113a8246f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qFKlxXtZuP.bat

Filesize
209B

MD5
00fb8829055126d4f41d456ac2e3a5c2

SHA1
31385e16b3fe8709158f0dfd92d8df13c71de534

SHA256
9f17a6b1b58b7750c759d00f848fb07af2b26b3c59c1db277d9915bbb444773e

SHA512
cbeac3e31c1577ed40202a8be87e8ba8ec11d0f7088064fbaa55708c1125688d1edd8871d1cc3b4649173e9ab4fdc19aba420f1d3d9e5b14d1c8c2333e9fdedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTLrgzBrGH.bat

Filesize
209B

MD5
4873a04e19f3e84f32dbedc63de1f53a

SHA1
b6096755b11e2ed804313729974bda503edb11b0

SHA256
85f6b6388fa296ab0fd626a6e5c8d61ff6f0bf455d630e7690c8b9859460539f

SHA512
17905b1546579057f6675e0b6ef722c5df6b880e87f8e1f28ca22b710f772f1020e02f08a51dd960bbcaa17db11072d77e3eeac2983d5a7e1541be9f7589fe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat

Filesize
209B

MD5
f05c337cdd9a1b5b2e2a1a881f2d9cad

SHA1
ab32989ff4e14426ade0f03f3ccaa0d3b9c80db5

SHA256
d9c89a599eca4b7d7e6c16ed22134f337b4e3054a997e15c5bd019fc7a61cf40

SHA512
c5f4d87c98088e08ccd3249ffba77fc143ce587146e7a56c27144d35d4a118f519b4ae39c65db3a7ac93632d73b59b42bf89ea97faaedd367c21678194e58ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
871c94cc6aea0f7cfc1a31abf7a27b3f

SHA1
160d937f6c2318390707b6e59236a15e50dea5e1

SHA256
84bcc3642b7e4a8206cc0c6b56f1d7034d74b867722990e6921171e02cd4406b

SHA512
695f7f76cf23a64735193467d035daa9fafd8caedcf6f6d1219a11950a714dc72c290c421b3edd71e771c64deda51c3512dc92d60449a8a956b20c8e696f7d04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvonqxjn\dvonqxjn.0.cs

Filesize
375B

MD5
7fc7ce285f8685d59e02bc368309e252

SHA1
bf9041ab8a04eef38233ab3ce62abff585a447e6

SHA256
ca306237cbfa9845ee7792eedc12b806fb07815427e3ac4e3adba3da3c452d8f

SHA512
f442b03ba7a628b4816c98e6bbccb3d54e799ff3ea41d5736fdd2445c891ace9d4fdb9bd84749fc2ddf9e93756b72950b8716491a5ba5d8a0dcfdf9672b6081a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvonqxjn\dvonqxjn.cmdline

Filesize
235B

MD5
148ac876eb0d534984d1f928d5247775

SHA1
b3e8d0071c9f657e05a72c0eb420377e2f0f43b9

SHA256
5db81a808ab549cc27832482d6ca76655d026cad9f76582dd8d4f5c6a46088d9

SHA512
20d72103b42d3ce5599a8c6f1dbcaae13e2152c9b4ec7ceaec2f857e505b489f1d88615481df4327a1ca60836c2d4a500757341634260d534eeb5c200ec60c33

Download Submit
\??\c:\Windows\System32\CSCA9A4F89D5534605A7FBA353716D1E.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/264-178-0x00000000001F0000-0x00000000003D4000-memory.dmp

Filesize
1.9MB

Download
memory/1220-215-0x00000000013D0000-0x00000000015B4000-memory.dmp

Filesize
1.9MB

Download
memory/2192-95-0x0000000000280000-0x0000000000464000-memory.dmp

Filesize
1.9MB

Download
memory/2408-83-0x00000000008A0000-0x0000000000A84000-memory.dmp

Filesize
1.9MB

Download
memory/2508-142-0x0000000000340000-0x0000000000524000-memory.dmp

Filesize
1.9MB

Download
memory/2652-107-0x00000000013B0000-0x0000000001594000-memory.dmp

Filesize
1.9MB

Download
memory/2980-154-0x0000000000E20000-0x0000000001004000-memory.dmp

Filesize
1.9MB

Download
memory/3040-20-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-14-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/3040-1-0x0000000000B20000-0x0000000000D04000-memory.dmp

Filesize
1.9MB

Download
memory/3040-48-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-12-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download
memory/3040-17-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/3040-18-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-19-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-0-0x000007FEF50C3000-0x000007FEF50C4000-memory.dmp

Filesize
4KB

Download
memory/3040-2-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-15-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-10-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-8-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/3040-9-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-6-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/3040-3-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-4-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-190-0x0000000000D90000-0x0000000000F74000-memory.dmp

Filesize
1.9MB

Download
memory/3064-64-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/3064-63-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download