dcrat | 754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754ad

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2023, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe
Size

3.5MB
MD5

12826025c71dbd7b7b7b9b8ed8e73176
SHA1

b129a45b5ccfdf0493fabcd3b9d54f9d2321f17f
SHA256

754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754ad
SHA512

f476b6bdf461eb9a6efed2f96280d6a545731e1e4e9071960f3b3d00cf077c11ddbeb0ca2b4d087fe3bf3118bae0dea85625e21843d4e160a2401caf2a978706
SSDEEP

98304:UboZN6a7pKnH5txu3hOVj0wycuXOI8jthCAPKr:U0XvUnH5i3s7M8mP

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	4392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4392	schtasks.exe	88

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentsaves.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000600000002321a-148.dat	dcrat
behavioral2/files/0x000600000002321a-149.dat	dcrat
behavioral2/memory/4220-150-0x0000000000C60000-0x0000000000F9A000-memory.dmp	dcrat
behavioral2/files/0x000600000002322b-157.dat	dcrat
behavioral2/files/0x0006000000023241-187.dat	dcrat
behavioral2/files/0x0006000000023241-188.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4220	componentsaves.exe
4264	Idle.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\lsass.exe	componentsaves.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe	componentsaves.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\6cb0b6c459d5d3	componentsaves.exe
File created	C:\Program Files (x86)\Common Files\csrss.exe	componentsaves.exe
File created	C:\Program Files (x86)\Common Files\886983d96e3d3e	componentsaves.exe
File created	C:\Program Files\Internet Explorer\Idle.exe	componentsaves.exe
File created	C:\Program Files\Internet Explorer\6ccacd8608530f	componentsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1316	schtasks.exe
1484	schtasks.exe
1436	schtasks.exe
1768	schtasks.exe
3628	schtasks.exe
3976	schtasks.exe
4140	schtasks.exe
1476	schtasks.exe
5068	schtasks.exe
2116	schtasks.exe
1156	schtasks.exe
3272	schtasks.exe
4948	schtasks.exe
4676	schtasks.exe
2648	schtasks.exe
1764	schtasks.exe
3888	schtasks.exe
2276	schtasks.exe
1464	schtasks.exe
408	schtasks.exe
3620	schtasks.exe
776	schtasks.exe
2420	schtasks.exe
3656	schtasks.exe
4416	schtasks.exe
3892	schtasks.exe
3840	schtasks.exe
4016	schtasks.exe
4644	schtasks.exe
1504	schtasks.exe
3156	schtasks.exe
2056	schtasks.exe
740	schtasks.exe
1584	schtasks.exe
1940	schtasks.exe
4504	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	componentsaves.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4220	componentsaves.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe
4264	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4264	Idle.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	componentsaves.exe
Token: SeDebugPrivilege	4264	Idle.exe
Token: SeBackupPrivilege	5060	vssvc.exe
Token: SeRestorePrivilege	5060	vssvc.exe
Token: SeAuditPrivilege	5060	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4736	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	83
PID 4828 wrote to memory of 4736	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	83
PID 4828 wrote to memory of 4736	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	83
PID 4828 wrote to memory of 4912	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	84
PID 4828 wrote to memory of 4912	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	84
PID 4828 wrote to memory of 4912	4828	754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe	84
PID 4736 wrote to memory of 3464	4736	WScript.exe	92
PID 4736 wrote to memory of 3464	4736	WScript.exe	92
PID 4736 wrote to memory of 3464	4736	WScript.exe	92
PID 3464 wrote to memory of 4220	3464	cmd.exe	94
PID 3464 wrote to memory of 4220	3464	cmd.exe	94
PID 4220 wrote to memory of 2668	4220	componentsaves.exe	131
PID 4220 wrote to memory of 2668	4220	componentsaves.exe	131
PID 2668 wrote to memory of 1404	2668	cmd.exe	133
PID 2668 wrote to memory of 1404	2668	cmd.exe	133
PID 2668 wrote to memory of 4264	2668	cmd.exe	134
PID 2668 wrote to memory of 4264	2668	cmd.exe	134
PID 4264 wrote to memory of 3724	4264	Idle.exe	136
PID 4264 wrote to memory of 3724	4264	Idle.exe	136
PID 4264 wrote to memory of 380	4264	Idle.exe	137
PID 4264 wrote to memory of 380	4264	Idle.exe	137

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	componentsaves.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

C:\Users\Admin\AppData\Local\Temp\754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\754c52185fa2fc8ac2d9f03290db41c4afede6933a55a6bd57c6158ce6d754adexe_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comBrowser\WjASW46x39BT.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comBrowser\pRTxhw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\comBrowser\componentsaves.exe
      "C:\comBrowser\componentsaves.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBTP30ipwI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1404
      - C:\Program Files\Internet Explorer\Idle.exe
        
        "C:\Program Files\Internet Explorer\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\517c7f0f-101b-4c18-9a92-7ed3fe76f8d3.vbs"
        7⤵
        
        PID:3724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894182d1-6036-45ba-8d89-c696432f6d77.vbs"
        7⤵
        
        PID:380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comBrowser\file.vbs"
  2⤵
  PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\comBrowser\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\comBrowser\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\comBrowser\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\Idle.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\Program Files\Internet Explorer\Idle.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\517c7f0f-101b-4c18-9a92-7ed3fe76f8d3.vbs

Filesize
719B

MD5
baabd65338ef90a14b1fef2a5cfed011

SHA1
96f292f79510d0a106a3f6f3f0dc0754c47ed8c9

SHA256
4be2d5eafe7ef037cf37a42b86f98bc195ef2b30b769ac4376cf3cc47a146baf

SHA512
7db6f3294c6887ecf93327d624f04b86d66eb66e645f8ef7b3449e1226151388d348f32847e04d447fb70a6a5dd9f53592477d6de269956c7884ab05820b9010

Download Submit
C:\Users\Admin\AppData\Local\Temp\894182d1-6036-45ba-8d89-c696432f6d77.vbs

Filesize
495B

MD5
8ea6cbbf0509d3d6ef93e9c4ffde4547

SHA1
497a935cc8461bdb7380335a6c6eb917030a14f9

SHA256
449b167d4b90eb99ab560d96b4f0a80e8451a901746a60059448e317f648f2b0

SHA512
a9ae5920d3019b003943dc208a2b59cd69ae14422901de8dae5c5e8edb6da55ecbfcf8558fc87d493711582988412f18bc1d03eb2f78d1f3bc8ed9b22ed37bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBTP30ipwI.bat

Filesize
208B

MD5
ebc25d9f6ba49e884db623011993a396

SHA1
7c909948aa567d6b0176b1fb445cd39f046e4352

SHA256
0513d4b2d060a290fe7449b71388910250d15a4487f46f18d07927d24dbaf64f

SHA512
218de3daf68eae453ba59be7166c968996a11d38b6d4b6f294d433519479903f07cd04fe61884a8fbe0bb6c763efef6432172eff1e96a195255e6a64883342c5

Download Submit
C:\Users\Default\AppData\Local\WmiPrvSE.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\WjASW46x39BT.vbe

Filesize
194B

MD5
c5b75678f537eb298465b875c16bdc32

SHA1
1437a0c736b4a51da3c507c21dba67394464bb1a

SHA256
608bcf1b8a64e6bdd049a75bc27187610b3c2c985dfc1c3a87b70f2506ed8b37

SHA512
6c78caf9c40310f0bee817390dd25e14a0a3b8268577e2b830ef800bfaa18502b634dcb1d1b988d5d52ac8517bab417f63fa1b9bb6d62aced46a0f2f37b82841

Download Submit
C:\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\componentsaves.exe

Filesize
3.2MB

MD5
67b598599821a46cae86c89b4942664f

SHA1
7a5e983be68766eb5ffb86ebc43d37c44c66cc9c

SHA256
f512769aa40ab275fb5b24a1326eb4ae0bcd35706dc78895394623a42130e26d

SHA512
f5aed68a83c933c2df59bc4d4733f22ce1528e0c97727b8debb3f2d65624481f6602150a6106f8109438dbccd5b3550b6f5a65f01f0664c50070faa2e5ef01b3

Download Submit
C:\comBrowser\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\comBrowser\pRTxhw.bat

Filesize
34B

MD5
02cb21db6ec286736bfd5fd2dad1f4ad

SHA1
d51de8ccbb7a921b7afbffd05e10a5f4c460a4a9

SHA256
e1153ce8370ace295803a78da424980db3dca34fee5503eb66b053e79dd647ca

SHA512
dba520e750e13dffcb8b9b9b789f28577846eb04f2470a39062af9b10d2c50e509fee11312fec3a30b45d219c95c0396ac2a4d8926237eef447238f2cda446ba

Download Submit
memory/4220-150-0x0000000000C60000-0x0000000000F9A000-memory.dmp

Filesize
3.2MB

Download
memory/4220-185-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp

Filesize
10.8MB

Download
memory/4220-154-0x000000001CC10000-0x000000001D138000-memory.dmp

Filesize
5.2MB

Download
memory/4220-153-0x000000001BD10000-0x000000001BD60000-memory.dmp

Filesize
320KB

Download
memory/4220-152-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/4220-151-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp

Filesize
10.8MB

Download
memory/4264-189-0x00007FF92C940000-0x00007FF92D401000-memory.dmp

Filesize
10.8MB

Download
memory/4264-190-0x000000001BC40000-0x000000001BC50000-memory.dmp

Filesize
64KB

Download
memory/4264-200-0x00007FF92C940000-0x00007FF92D401000-memory.dmp

Filesize
10.8MB

Download
memory/4264-201-0x000000001BC40000-0x000000001BC50000-memory.dmp

Filesize
64KB

Download
memory/4264-202-0x000000001E7D0000-0x000000001E992000-memory.dmp

Filesize
1.8MB

Download