dcrat | 2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

Analysis

max time kernel
121s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-02-2025 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FCD38CBAA3982793517697BF89F666CC.exe
Size

1.8MB
MD5

fcd38cbaa3982793517697bf89f666cc
SHA1

c345ceffabb9decaaa1e7a4f9582313401cbd589
SHA256

2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728
SHA512

8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d
SSDEEP

24576:QNHIUS4ZU8NigrQ1JKwsy3CL3sZb2W2LimA2putPYrrJUHJZ5HwhJ5Ji2aaf1kWT:oII8LFCL3sZqd204AKHFgTI2aU1kW

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\System\\csrss.exe\", \"C:\\Windows\\Setup\\dllhost.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Saved Games\\audiodg.exe\", \"C:\\Users\\All Users\\Documents\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCD38CBAA3982793517697BF89F666CC.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\System\\csrss.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\System\\csrss.exe\", \"C:\\Windows\\Setup\\dllhost.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\System\\csrss.exe\", \"C:\\Windows\\Setup\\dllhost.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Saved Games\\audiodg.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\System\\csrss.exe\", \"C:\\Windows\\Setup\\dllhost.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\Saved Games\\audiodg.exe\", \"C:\\Users\\All Users\\Documents\\Idle.exe\""	FCD38CBAA3982793517697BF89F666CC.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2836	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
3008	Idle.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\dllhost.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Saved Games\\audiodg.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Documents\\Idle.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\spoolsv.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\csrss.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\csrss.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\dllhost.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ServiceProfiles\\LocalService\\Saved Games\\audiodg.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Documents\\Idle.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FCD38CBAA3982793517697BF89F666CC = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCD38CBAA3982793517697BF89F666CC.exe\""	FCD38CBAA3982793517697BF89F666CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCD38CBAA3982793517697BF89F666CC = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCD38CBAA3982793517697BF89F666CC.exe\""	FCD38CBAA3982793517697BF89F666CC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC376CFC8292134703A176DC83BB43168D.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\csrss.exe	FCD38CBAA3982793517697BF89F666CC.exe
File created	C:\Program Files\Common Files\System\886983d96e3d3e	FCD38CBAA3982793517697BF89F666CC.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Setup\5940a34987c991	FCD38CBAA3982793517697BF89F666CC.exe
File created	C:\Windows\ServiceProfiles\LocalService\Saved Games\audiodg.exe	FCD38CBAA3982793517697BF89F666CC.exe
File created	C:\Windows\ServiceProfiles\LocalService\Saved Games\42af1c969fbb7b	FCD38CBAA3982793517697BF89F666CC.exe
File created	C:\Windows\Setup\dllhost.exe	FCD38CBAA3982793517697BF89F666CC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1428	schtasks.exe
620	schtasks.exe
2800	schtasks.exe
1092	schtasks.exe
1336	schtasks.exe
2812	schtasks.exe
2556	schtasks.exe
2868	schtasks.exe
532	schtasks.exe
2152	schtasks.exe
2912	schtasks.exe
3032	schtasks.exe
2728	schtasks.exe
2628	schtasks.exe
1696	schtasks.exe
320	schtasks.exe
2432	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe
2520	FCD38CBAA3982793517697BF89F666CC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	FCD38CBAA3982793517697BF89F666CC.exe
Token: SeDebugPrivilege	3008	Idle.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2624	2520	FCD38CBAA3982793517697BF89F666CC.exe	34
PID 2520 wrote to memory of 2624	2520	FCD38CBAA3982793517697BF89F666CC.exe	34
PID 2520 wrote to memory of 2624	2520	FCD38CBAA3982793517697BF89F666CC.exe	34
PID 2624 wrote to memory of 2764	2624	csc.exe	36
PID 2624 wrote to memory of 2764	2624	csc.exe	36
PID 2624 wrote to memory of 2764	2624	csc.exe	36
PID 2520 wrote to memory of 2928	2520	FCD38CBAA3982793517697BF89F666CC.exe	52
PID 2520 wrote to memory of 2928	2520	FCD38CBAA3982793517697BF89F666CC.exe	52
PID 2520 wrote to memory of 2928	2520	FCD38CBAA3982793517697BF89F666CC.exe	52
PID 2928 wrote to memory of 2392	2928	cmd.exe	54
PID 2928 wrote to memory of 2392	2928	cmd.exe	54
PID 2928 wrote to memory of 2392	2928	cmd.exe	54
PID 2928 wrote to memory of 2084	2928	cmd.exe	55
PID 2928 wrote to memory of 2084	2928	cmd.exe	55
PID 2928 wrote to memory of 2084	2928	cmd.exe	55
PID 2928 wrote to memory of 3008	2928	cmd.exe	56
PID 2928 wrote to memory of 3008	2928	cmd.exe	56
PID 2928 wrote to memory of 3008	2928	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe
"C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oahwwokt\oahwwokt.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA988.tmp" "c:\Windows\System32\CSC376CFC8292134703A176DC83BB43168D.TMP"
    3⤵
    PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DPPvPWGhy7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2392
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2084
- - C:\Users\All Users\Documents\Idle.exe
    "C:\Users\All Users\Documents\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CCF" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "FCD38CBAA3982793517697BF89F666CCF" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\FCD38CBAA3982793517697BF89F666CC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe

Filesize
1.8MB

MD5
fcd38cbaa3982793517697bf89f666cc

SHA1
c345ceffabb9decaaa1e7a4f9582313401cbd589

SHA256
2c72479cc49731a95d2953c70e8ccf3a11eb154532aae68a7e7c7290797cb728

SHA512
8c5b64aa64dbc494e413b4e83b21c4f9bb0e3dd684a601c4faf1896e2f7d13cdb0885405b17839390358f823f4d61ea608b14f14e3f98d52a03778be64df0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DPPvPWGhy7.bat

Filesize
213B

MD5
0e3ee28f6ec315866b65cd9b00611686

SHA1
910bbe2ae7f17fdbdc11a59d1fad114b6e2be20d

SHA256
b847941e46596e5b9d648bc35d633ab9e0015e2c25049356c10bcf789d2c6e4c

SHA512
90c86f231f7a9c0e95271c6c8706a40ed1793598c6dca768c31ea8854d53c57b4c75ae738947426a08ae0763eaa6b7e4caed16f51e96ab2504b9de876dbcec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA988.tmp

Filesize
1KB

MD5
03f7bbfdaa414dbba4a0b23d9f23c624

SHA1
7a863feb4ff49581b4f016ffa35e120582ba7ee5

SHA256
70fa0fa5b1fbb53241a493ad1032fe3dc40ae123b7d3bd0e23d98da6ee3c8e80

SHA512
a2e3c54a15c8bf0351086b84f8cd8712955de7f829628317bd644fafee5824e769bec6b576f8aab8e9b8c8b21599526bc4d2f7bcbdc768cecb201052be25b8f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oahwwokt\oahwwokt.0.cs

Filesize
392B

MD5
3449954ecc30741d13778d6e0107c11d

SHA1
cd4be371f1ee1cf8032616470d1e1f09222955d5

SHA256
38920aadd69b8631f4566d6b1c31dd7d211d8c248db9c86f07bebb53ea0a08fd

SHA512
384fb2ecfd54cd733d3a13f551f0604d79c7538ea36cfa5995cb0adf0cb3bfc282000b16f7c20000e308283abbac76d3efda3031e1140fe90819cd2477f0c759

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oahwwokt\oahwwokt.cmdline

Filesize
235B

MD5
68da8f1700874b3ee17c4ef34105a164

SHA1
749ad16dd0a7243e1e70cd597f50c0eccac85d3d

SHA256
46b6c83f86a74b58819bb0900eb5db5691882a9c54fd866adcab0913b605efb5

SHA512
4fa049abe09523a4da80c8fbad15798feeaa4110543c8efd4bba780e4f2a327c85bb43bbc6a4e1510da766b71094d76ed9b9da81a51d2494eddbef1655ce4ee4

Download Submit
\??\c:\Windows\System32\CSC376CFC8292134703A176DC83BB43168D.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/2520-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2520-18-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-11-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-13-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2520-10-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2520-15-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2520-17-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-8-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-7-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2520-4-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-3-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-45-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-1-0x0000000001120000-0x00000000012FA000-memory.dmp

Filesize
1.9MB

Download
memory/3008-49-0x00000000008C0000-0x0000000000A9A000-memory.dmp

Filesize
1.9MB

Download