dcrat | d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe
Size

2.1MB
MD5

ec5fdacecceee343335d6a686ce75864
SHA1

965f210fa2eccd71a866908320cb92eb926b338d
SHA256

d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad
SHA512

533713c84dfcd9d23ffb338d9dd5c237ef6151315037ed8477f91bd89bad02639ee9e936cfc2ea5098f2bbff9e565115b14f71e287297d11328cf9c030512a4c
SSDEEP

49152:IBJi/YtO8s26Kzc1OpFAuD86cmG96kZTRc:ycoxd6Yc1+rXG3Rc

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\", \"C:\\WebWinBrokerDll\\explorer.exe\", \"C:\\Windows\\TAPI\\lsass.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\", \"C:\\WebWinBrokerDll\\explorer.exe\", \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\ja-JP\\WmiPrvSE.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\", \"C:\\WebWinBrokerDll\\explorer.exe\", \"C:\\Windows\\TAPI\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\ja-JP\\WmiPrvSE.exe\", \"C:\\WebWinBrokerDll\\BridgeServerruntime.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\", \"C:\\WebWinBrokerDll\\explorer.exe\""	BridgeServerruntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2656	schtasks.exe	34

Executes dropped EXE 2 IoCs

pid	Process
2668	BridgeServerruntime.exe
1696	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Sidebar\\ja-JP\\WmiPrvSE.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BridgeServerruntime = "\"C:\\WebWinBrokerDll\\BridgeServerruntime.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\WebWinBrokerDll\\explorer.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\TAPI\\lsass.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\TAPI\\lsass.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Sidebar\\ja-JP\\WmiPrvSE.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BridgeServerruntime = "\"C:\\WebWinBrokerDll\\BridgeServerruntime.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\sppsvc.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\audiodg.exe\""	BridgeServerruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\WebWinBrokerDll\\explorer.exe\""	BridgeServerruntime.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBC166EF4E36041B3A4654C1AE1429A94.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe	BridgeServerruntime.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe	BridgeServerruntime.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\24dbde2999530e	BridgeServerruntime.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\audiodg.exe	BridgeServerruntime.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\42af1c969fbb7b	BridgeServerruntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\lsass.exe	BridgeServerruntime.exe
File created	C:\Windows\TAPI\6203df4a6bafc7	BridgeServerruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
332	schtasks.exe
2536	schtasks.exe
2160	schtasks.exe
2232	schtasks.exe
1288	schtasks.exe
1012	schtasks.exe
1484	schtasks.exe
1764	schtasks.exe
2960	schtasks.exe
2416	schtasks.exe
3004	schtasks.exe
2888	schtasks.exe
1156	schtasks.exe
2212	schtasks.exe
316	schtasks.exe
1084	schtasks.exe
2164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
2668	BridgeServerruntime.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe
1696	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	BridgeServerruntime.exe
Token: SeDebugPrivilege	1696	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2780	1448	d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe	30
PID 1448 wrote to memory of 2780	1448	d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe	30
PID 1448 wrote to memory of 2780	1448	d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe	30
PID 1448 wrote to memory of 2780	1448	d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe	30
PID 2780 wrote to memory of 2728	2780	WScript.exe	31
PID 2780 wrote to memory of 2728	2780	WScript.exe	31
PID 2780 wrote to memory of 2728	2780	WScript.exe	31
PID 2780 wrote to memory of 2728	2780	WScript.exe	31
PID 2728 wrote to memory of 2668	2728	cmd.exe	33
PID 2728 wrote to memory of 2668	2728	cmd.exe	33
PID 2728 wrote to memory of 2668	2728	cmd.exe	33
PID 2728 wrote to memory of 2668	2728	cmd.exe	33
PID 2668 wrote to memory of 1168	2668	BridgeServerruntime.exe	38
PID 2668 wrote to memory of 1168	2668	BridgeServerruntime.exe	38
PID 2668 wrote to memory of 1168	2668	BridgeServerruntime.exe	38
PID 1168 wrote to memory of 544	1168	csc.exe	40
PID 1168 wrote to memory of 544	1168	csc.exe	40
PID 1168 wrote to memory of 544	1168	csc.exe	40
PID 2668 wrote to memory of 1316	2668	BridgeServerruntime.exe	56
PID 2668 wrote to memory of 1316	2668	BridgeServerruntime.exe	56
PID 2668 wrote to memory of 1316	2668	BridgeServerruntime.exe	56
PID 1316 wrote to memory of 2508	1316	cmd.exe	58
PID 1316 wrote to memory of 2508	1316	cmd.exe	58
PID 1316 wrote to memory of 2508	1316	cmd.exe	58
PID 1316 wrote to memory of 1868	1316	cmd.exe	59
PID 1316 wrote to memory of 1868	1316	cmd.exe	59
PID 1316 wrote to memory of 1868	1316	cmd.exe	59
PID 1316 wrote to memory of 1696	1316	cmd.exe	60
PID 1316 wrote to memory of 1696	1316	cmd.exe	60
PID 1316 wrote to memory of 1696	1316	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe
"C:\Users\Admin\AppData\Local\Temp\d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\WebWinBrokerDll\BridgeServerruntime.exe
      "C:\WebWinBrokerDll/BridgeServerruntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5b5kfsz\b5b5kfsz.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AEC.tmp" "c:\Windows\System32\CSCBC166EF4E36041B3A4654C1AE1429A94.TMP"
        6⤵
        
        PID:544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1INrMbO5S.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2508
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1868
      - C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\WebWinBrokerDll\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\WebWinBrokerDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\WebWinBrokerDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 14 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeServerruntime" /sc ONLOGON /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 7 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A1INrMbO5S.bat

Filesize
233B

MD5
5fc41d6af0c9729a716b8803f3818d69

SHA1
7eae68535c61cc791de4fd19797898bf9043234c

SHA256
67c7442cefea2779285d51717b23f29012affe998b77a4e00a6b31f6ed6d1c18

SHA512
4ae02c5b984f749517f5b33cd2e326d7702cd98eef763257d6302d5ec1630a714d09d4f19272176d76e499debbcac17a0f772c5a8c91b996764d799b6bf6484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5AEC.tmp

Filesize
1KB

MD5
558b0e9a949a99ca16fbfc061b285dbf

SHA1
d85aee8a2e9ce36a89e3d47bda595bc123ecef25

SHA256
4588cb276e2350205bf70d5580f99bc8fb901c2fad0136a2d58b5e24850b9ad6

SHA512
a4919f5539dae342ab4b8fd81eb39ee9b5470f7ef5812b2e8b3e2c848af202e09440b82f2bbf6a57147a86196646366e3a6b48e19013ab25cce773f773d3e66a

Download Submit
C:\WebWinBrokerDll\BridgeServerruntime.exe

Filesize
1.8MB

MD5
56554dd4e4fb40b0b5e23cbac2632fda

SHA1
639002e98be388ecb14d2b973388531a124f2311

SHA256
e93b10e93c375f1e7a2ad0df4c213a1630d64cac96e6467dd0926b2d44dac295

SHA512
8bc6fb271d6459dcf0c27794dc9f90b83d606c100bc762ada33df238011d0518c85da3c64b37f451706a67030cc99f6a1194d65e2bc5a30ed1e5e029a3bb7288

Download Submit
C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat

Filesize
107B

MD5
41c6e0e5b5a7be33fd9e1f2c02adcc1e

SHA1
1fb52df44fb4a90bcc7311238dedfc1b9ccc6b4f

SHA256
f873310a27b36240c42e0d93c877096e7163d2de480caf83fdce2ef1168376e9

SHA512
a1ca006a8d9300f3743350243bf90629522bb2f71c80a8f3a6cc41759a5746a9bbe932b69e4ca46de7de3c555d66fe2f86c13a717806cc9acdbc80f02525c0be

Download Submit
C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe

Filesize
210B

MD5
7f45c1ae3ffa088fd090281714ccd636

SHA1
e256ac2063feb5bbda9261ebd6941fe391fd5e62

SHA256
096a645b2d6d4d076b4ee48d1e88372c59f895ce7db2a31d8f8aa0132d7ea5bd

SHA512
cadcc93806689bf5b7c3679d160bc9000d6597fea1143f60fa98cc3bcc3107d0efeb2abf661d37ac80189d01fba1e43c533a0f0f31b006eda2175a2f558526b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5b5kfsz\b5b5kfsz.0.cs

Filesize
391B

MD5
09cf8be8fd74486c089b95fb07a9e699

SHA1
1cb0d2b88d7a6de1e943c8ef40c21d83f8257922

SHA256
66fe844f8bef4e259d14d486a8d1825f5f1cb80562dda41567ccb4139f2e300f

SHA512
f3b06c1caef1f5616d8b37f29ce6de2375dc105bd181ff1c1fb50fe842366e2a474addd295f13e5c1eb09b30ddf2e280d5ed6e52b3e5792f6d82a47296779aeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b5b5kfsz\b5b5kfsz.cmdline

Filesize
235B

MD5
0392c83da33b78a6ad0a875e177e988a

SHA1
dc6e1acb8f28f5f225e6047a88c19e4bac55ec9d

SHA256
feebbaa2471351a963f08e777610217d52b0932346ee6407c0e9d3e9586da0f4

SHA512
075efe2705e03613ee4fa325bda11d0a1b119bbdffa4ad9f077e8ffbff62a819e2869c435ac5eb427d9a101d48237525e35af5cd7f4025596fb4ce39ff7d0127

Download Submit
\??\c:\Windows\System32\CSCBC166EF4E36041B3A4654C1AE1429A94.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/1696-50-0x0000000000E60000-0x0000000001030000-memory.dmp

Filesize
1.8MB

Download
memory/2668-13-0x0000000000E80000-0x0000000001050000-memory.dmp

Filesize
1.8MB

Download
memory/2668-19-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/2668-17-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2668-15-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download