dcrat | d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

Resubmissions

13/01/2025, 05:29

250113-f6xncaxraw 10

12/01/2025, 19:21

250112-x2mq1svqe1 10

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/01/2025, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183CB9283D9C8F6282283BD39F49D33C.exe
Size

2.7MB
MD5

183cb9283d9c8f6282283bd39f49d33c
SHA1

76674564064d31bb9d37f802bdec3821d4a55d89
SHA256

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984
SHA512

14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22
SSDEEP

49152:Bfj5Pkja3lMPnl9LS7y5PEeQxtD5vLyCse5EPUC1SKGLFSjvzbN+/rV:BfBkyqPnDSOdEeQfocN8GLQLkz

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2908	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/264-1-0x0000000001280000-0x0000000001534000-memory.dmp	dcrat
behavioral1/files/0x000600000001747b-29.dat	dcrat
behavioral1/files/0x00070000000190cd-74.dat	dcrat
behavioral1/files/0x000b000000016d1b-120.dat	dcrat
behavioral1/files/0x000a0000000190d6-161.dat	dcrat
behavioral1/files/0x0006000000019273-200.dat	dcrat
behavioral1/memory/2492-224-0x00000000010D0000-0x0000000001384000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2492	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\de-DE\54bd7cdf8743a5	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\183CB9283D9C8F6282283BD39F49D33C.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE03D.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\smss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\0a1fd5f707cd16	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD73E.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE03C.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXF574.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXF573.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Uninstall Information\54bd7cdf8743a5	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD73F.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXE948.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF35F.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Program Files\Windows Journal\de-DE\183CB9283D9C8F6282283BD39F49D33C.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXE949.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF2F1.tmp	183CB9283D9C8F6282283BD39F49D33C.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCXE6D6.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\de-DE\RCXE745.tmp	183CB9283D9C8F6282283BD39F49D33C.exe
File opened for modification	C:\Windows\de-DE\smss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\de-DE\smss.exe	183CB9283D9C8F6282283BD39F49D33C.exe
File created	C:\Windows\de-DE\69ddcba757bf72	183CB9283D9C8F6282283BD39F49D33C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2652	schtasks.exe
2144	schtasks.exe
1616	schtasks.exe
1944	schtasks.exe
1360	schtasks.exe
1036	schtasks.exe
864	schtasks.exe
868	schtasks.exe
2004	schtasks.exe
1672	schtasks.exe
3000	schtasks.exe
1856	schtasks.exe
680	schtasks.exe
1828	schtasks.exe
1540	schtasks.exe
2784	schtasks.exe
344	schtasks.exe
2676	schtasks.exe
1264	schtasks.exe
804	schtasks.exe
300	schtasks.exe
2236	schtasks.exe
2164	schtasks.exe
2800	schtasks.exe
2844	schtasks.exe
2588	schtasks.exe
2472	schtasks.exe
2944	schtasks.exe
2620	schtasks.exe
1660	schtasks.exe
2232	schtasks.exe
2712	schtasks.exe
2856	schtasks.exe
2404	schtasks.exe
1716	schtasks.exe
1276	schtasks.exe
2392	schtasks.exe
2648	schtasks.exe
1780	schtasks.exe
1908	schtasks.exe
1460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
264	183CB9283D9C8F6282283BD39F49D33C.exe
264	183CB9283D9C8F6282283BD39F49D33C.exe
264	183CB9283D9C8F6282283BD39F49D33C.exe
264	183CB9283D9C8F6282283BD39F49D33C.exe
264	183CB9283D9C8F6282283BD39F49D33C.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe
2492	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2492	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	183CB9283D9C8F6282283BD39F49D33C.exe
Token: SeDebugPrivilege	2492	Idle.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2956	264	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 264 wrote to memory of 2956	264	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 264 wrote to memory of 2956	264	183CB9283D9C8F6282283BD39F49D33C.exe	74
PID 2956 wrote to memory of 444	2956	cmd.exe	76
PID 2956 wrote to memory of 444	2956	cmd.exe	76
PID 2956 wrote to memory of 444	2956	cmd.exe	76
PID 2956 wrote to memory of 2492	2956	cmd.exe	77
PID 2956 wrote to memory of 2492	2956	cmd.exe	77
PID 2956 wrote to memory of 2492	2956	cmd.exe	77

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	183CB9283D9C8F6282283BD39F49D33C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\183CB9283D9C8F6282283BD39F49D33C.exe
"C:\Users\Admin\AppData\Local\Temp\183CB9283D9C8F6282283BD39F49D33C.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pj3I5zz9mM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:444
- - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe
    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C1" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\de-DE\183CB9283D9C8F6282283BD39F49D33C.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\183CB9283D9C8F6282283BD39F49D33C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C1" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\183CB9283D9C8F6282283BD39F49D33C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C1" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "183CB9283D9C8F6282283BD39F49D33C1" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\183CB9283D9C8F6282283BD39F49D33C.exe

Filesize
2.7MB

MD5
f2009487a889b6e1ce7b87c9ee46e008

SHA1
a317a649306cb7e0c0144f6066a9bc732b11a281

SHA256
b1f104e7e2086ee21c693016c6fb2571e0ff59ba2166a2d325a8f275fd55e916

SHA512
fd350cb08736fad689bdef366588d94b27d36c91a6fddb96dd3af769852aedcc3223bc6d945448532b89d188dfdd60b4b256a20e14fab669f28f7b954d3d29a1

Download Submit
C:\Program Files\Uninstall Information\csrss.exe

Filesize
2.7MB

MD5
183cb9283d9c8f6282283bd39f49d33c

SHA1
76674564064d31bb9d37f802bdec3821d4a55d89

SHA256
d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

SHA512
14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\audiodg.exe

Filesize
2.7MB

MD5
309b67c147636650676e75603304b421

SHA1
1464db84f1824e590844c17e439a63f529cac423

SHA256
d13fa3273121bb535097fc3547429081b1141fbb54d6bf83e791cc4fa16f834b

SHA512
313d1d646cbc8e91bf94909007016570d47b7ec46f3f9e44ecb400cc3769686e54d0bb5d5144ca5f8b1a66bb9aec9c62497cdee04136a8973107e1df34732c5e

Download Submit
C:\ProgramData\RCXEB4D.tmp

Filesize
2.7MB

MD5
eee9f7236027ad9db40a6f08d5e693e2

SHA1
0dbcd9164e5a04d64c99910a4a4e0c2cb72f4302

SHA256
0345206029f781a5cafb7a9f0be90228b59ef1bdcdc9c86e1aeff6ba1c41c091

SHA512
2c340b07bcb3ff77cca8e019d887894b65b2ff7bed9639b7225740bdd30dd58db9a1b80e523c2a5ae8b080546b117b48bd37516104b51b2e6c69a1b822ca2bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pj3I5zz9mM.bat

Filesize
236B

MD5
5555894e2773e14adccfe814f5817848

SHA1
cb0d92cb246363be0a2ae8bbc83e29c16e00cf09

SHA256
ac522477b49108c971b7960442a9a20b1b0c8e6d9a2efcda2bc080f1d3541742

SHA512
24d79b46d35d213d7244e3917654d70da78c62905e8b4ad5a3072c8f2c4a35d0e542c3ab9237e8902d96fb5a67b4fec84e23efebc882cceca197bdc5a8d3997d

Download Submit
C:\Users\Default\Favorites\csrss.exe

Filesize
2.7MB

MD5
e6f9df92e2ccd3f7417feee92f8f8396

SHA1
b7127ad8b2f1bf72c5f24d1e5817edaf741f40c8

SHA256
5afef6c78e0899946dcc7988ff7d8152dc132d1728b4b82688e8f594a5d4027d

SHA512
dd3bca5f647d442779b4c4ddfc82f2f49a6d0c5dd248174e417fc42fc1847247271b09437e72db4ff3114e15d310bedbfcd4fe54ff828d12b4828e670436147f

Download Submit
memory/264-8-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/264-19-0x000000001A9A0000-0x000000001A9AA000-memory.dmp

Filesize
40KB

Download
memory/264-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/264-9-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/264-10-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/264-11-0x0000000001220000-0x0000000001276000-memory.dmp

Filesize
344KB

Download
memory/264-12-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/264-13-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/264-14-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/264-15-0x000000001A960000-0x000000001A968000-memory.dmp

Filesize
32KB

Download
memory/264-16-0x000000001A970000-0x000000001A97C000-memory.dmp

Filesize
48KB

Download
memory/264-17-0x000000001A980000-0x000000001A98E000-memory.dmp

Filesize
56KB

Download
memory/264-18-0x000000001A990000-0x000000001A99C000-memory.dmp

Filesize
48KB

Download
memory/264-7-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/264-20-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

Filesize
48KB

Download
memory/264-6-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/264-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/264-4-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/264-3-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/264-191-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/264-2-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/264-214-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/264-1-0x0000000001280000-0x0000000001534000-memory.dmp

Filesize
2.7MB

Download
memory/264-221-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-224-0x00000000010D0000-0x0000000001384000-memory.dmp

Filesize
2.7MB

Download
memory/2492-225-0x0000000001080000-0x00000000010D6000-memory.dmp

Filesize
344KB

Download
memory/2492-226-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download