dcrat | 23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968

Analysis

max time kernel
55s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Size

2.7MB
MD5

6820b43439b7b0b956738c547623aa7a
SHA1

0f1515df71948d13a8048b4afb6b8676c4a74298
SHA256

23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968
SHA512

9ea7d94280e5ebd4919fe9caf85d58a5c1c40d9ae3eac9f02acfdb2f62727b1168a353b6b91c2f09ee0ae68668cd2e0f823406d71fdc295f9c48639f87b39c34
SSDEEP

49152:sDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:N4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4388	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4388	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4996-1-0x0000000000CE0000-0x0000000000F94000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ccd-30.dat	dcrat
behavioral2/files/0x0008000000023ccd-111.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Executes dropped EXE 1 IoCs

pid	Process
944	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Registry.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File created	C:\Program Files\7-Zip\ee2ad38f3d4382	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\7-Zip\RCXE0C9.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\7-Zip\RCXE0CA.tmp	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
File opened for modification	C:\Program Files\7-Zip\Registry.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\unsecapp.exe	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe
4980	schtasks.exe
4668	schtasks.exe
1224	schtasks.exe
32	schtasks.exe
5108	schtasks.exe
4292	schtasks.exe
4876	schtasks.exe
1956	schtasks.exe
2928	schtasks.exe
3472	schtasks.exe
1328	schtasks.exe
4880	schtasks.exe
4672	schtasks.exe
3116	schtasks.exe
3156	schtasks.exe
3984	schtasks.exe
3952	schtasks.exe
3460	schtasks.exe
1392	schtasks.exe
2772	schtasks.exe
1080	schtasks.exe
1076	schtasks.exe
4424	schtasks.exe
4892	schtasks.exe
1072	schtasks.exe
3612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe
944	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
944	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Token: SeDebugPrivilege	944	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2788	4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe	112
PID 4996 wrote to memory of 2788	4996	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe	112
PID 2788 wrote to memory of 3764	2788	cmd.exe	114
PID 2788 wrote to memory of 3764	2788	cmd.exe	114
PID 2788 wrote to memory of 944	2788	cmd.exe	116
PID 2788 wrote to memory of 944	2788	cmd.exe	116

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe
"C:\Users\Admin\AppData\Local\Temp\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW2xHJWZHv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3764
- - C:\Recovery\WindowsRE\csrss.exe
    "C:\Recovery\WindowsRE\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e03399682" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e03399682" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gW2xHJWZHv.bat

Filesize
196B

MD5
08f40a0d3f618b82bdd71b86b2decb19

SHA1
e0eab7856d7acead058d110df8282d3876067c78

SHA256
4ef1e007e9b16eef8145b78a4132b4cc9805b0d603edd797a4024b396b5ec6f5

SHA512
8c9bcf35e8e1993efe595ad9b31747d307d654fde30a8d81f8bf35fdfe692481e91bb953aec7421fd2f0642bc8f990240e68fd344e3619aa6e195d3fb472907d

Download Submit
C:\Users\Public\Videos\RuntimeBroker.exe

Filesize
2.7MB

MD5
d1c01cc216835792804d99d11eb3cc65

SHA1
fcc6ba2c826bc8f50995aa2971687bf70a71d2f7

SHA256
0621f606e65717a887b389827316cc85b60d50b79c666e6a1a827de2c9929f7f

SHA512
2afba38329d21cb8c54c9ddc417745fe66fda4f88f6e1ab46e36e59cfed708c2b26a4cad1f616f7b15dc78024a37b1870798d24a40cb8fc9d978803477e647ed

Download Submit
C:\Windows\Temp\MsEdgeCrashpad\reports\explorer.exe

Filesize
2.7MB

MD5
6820b43439b7b0b956738c547623aa7a

SHA1
0f1515df71948d13a8048b4afb6b8676c4a74298

SHA256
23036e1ac371c1c52c9508e7c1ad087da1d02b63c5f92609dafb0047e0339968

SHA512
9ea7d94280e5ebd4919fe9caf85d58a5c1c40d9ae3eac9f02acfdb2f62727b1168a353b6b91c2f09ee0ae68668cd2e0f823406d71fdc295f9c48639f87b39c34

Download Submit
memory/4996-12-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/4996-14-0x000000001C850000-0x000000001CD78000-memory.dmp

Filesize
5.2MB

Download
memory/4996-5-0x000000001C250000-0x000000001C2A0000-memory.dmp

Filesize
320KB

Download
memory/4996-7-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/4996-6-0x00000000031E0000-0x00000000031E8000-memory.dmp

Filesize
32KB

Download
memory/4996-8-0x000000001BBF0000-0x000000001BC06000-memory.dmp

Filesize
88KB

Download
memory/4996-9-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/4996-10-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/4996-11-0x000000001C2A0000-0x000000001C2F6000-memory.dmp

Filesize
344KB

Download
memory/4996-0-0x00007FF995B43000-0x00007FF995B45000-memory.dmp

Filesize
8KB

Download
memory/4996-13-0x000000001C2F0000-0x000000001C302000-memory.dmp

Filesize
72KB

Download
memory/4996-4-0x00000000031C0000-0x00000000031DC000-memory.dmp

Filesize
112KB

Download
memory/4996-15-0x000000001C320000-0x000000001C328000-memory.dmp

Filesize
32KB

Download
memory/4996-17-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/4996-16-0x000000001C330000-0x000000001C338000-memory.dmp

Filesize
32KB

Download
memory/4996-18-0x000000001C340000-0x000000001C34E000-memory.dmp

Filesize
56KB

Download
memory/4996-19-0x000000001C350000-0x000000001C35C000-memory.dmp

Filesize
48KB

Download
memory/4996-20-0x000000001C360000-0x000000001C36A000-memory.dmp

Filesize
40KB

Download
memory/4996-21-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/4996-3-0x00000000031B0000-0x00000000031BE000-memory.dmp

Filesize
56KB

Download
memory/4996-2-0x00007FF995B40000-0x00007FF996601000-memory.dmp

Filesize
10.8MB

Download
memory/4996-154-0x00007FF995B40000-0x00007FF996601000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x0000000000CE0000-0x0000000000F94000-memory.dmp

Filesize
2.7MB

Download