dcrat | 7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb

Analysis

max time kernel
129s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Size

2.7MB
MD5

9bfdb51d9bf8b65fb81ea7083f147695
SHA1

c0eeb27e17afd5c9c2c2887aefadb171657f79bb
SHA256

7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb
SHA512

12820d32910da209fcd21b0d78a821d9e5778800224d9405cc6c55bfa9ea6fc2435f2ab83c130beb07e6c5d393ede8114d9aaa4d82665cbf64fc5b45479ebb0f
SSDEEP

49152:twqc9JR8znSZnLiIvYqxT4icZ1TQjI6bEfmI4xvykALzt:thEtjvFxT5cZ1EjI6bkp+yt

Score

10^/10

dcrat defense_evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2900	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2900	schtasks.exe	29

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2540-1-0x0000000000050000-0x0000000000304000-memory.dmp	dcrat
behavioral1/files/0x0006000000019489-28.dat	dcrat
behavioral1/files/0x000a000000018b59-98.dat	dcrat
behavioral1/files/0x0008000000019489-109.dat	dcrat
behavioral1/files/0x0007000000019761-120.dat	dcrat
behavioral1/memory/2392-157-0x0000000001110000-0x00000000013C4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2392	taskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\175a1757e47307	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXD693.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXD694.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File created	C:\Program Files\Microsoft Games\lsass.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File created	C:\Program Files\Microsoft Games\6203df4a6bafc7	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD8A7.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD8B8.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Program Files\Microsoft Games\lsass.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\smss.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File created	C:\Windows\Cursors\69ddcba757bf72	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Windows\Cursors\RCXE26F.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Windows\Cursors\RCXE2FD.tmp	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
File opened for modification	C:\Windows\Cursors\smss.exe	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2000	schtasks.exe
1680	schtasks.exe
1644	schtasks.exe
1944	schtasks.exe
3028	schtasks.exe
1356	schtasks.exe
2948	schtasks.exe
1152	schtasks.exe
564	schtasks.exe
2620	schtasks.exe
1940	schtasks.exe
2840	schtasks.exe
2976	schtasks.exe
2980	schtasks.exe
336	schtasks.exe
2476	schtasks.exe
1016	schtasks.exe
2680	schtasks.exe
2692	schtasks.exe
2128	schtasks.exe
1616	schtasks.exe
1064	schtasks.exe
2916	schtasks.exe
2628	schtasks.exe
3000	schtasks.exe
1996	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe
2392	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Token: SeDebugPrivilege	2392	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1472	2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe	57
PID 2540 wrote to memory of 1472	2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe	57
PID 2540 wrote to memory of 1472	2540	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe	57
PID 1472 wrote to memory of 468	1472	cmd.exe	59
PID 1472 wrote to memory of 468	1472	cmd.exe	59
PID 1472 wrote to memory of 468	1472	cmd.exe	59
PID 1472 wrote to memory of 2392	1472	cmd.exe	60
PID 1472 wrote to memory of 2392	1472	cmd.exe	60
PID 1472 wrote to memory of 2392	1472	cmd.exe	60

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe
"C:\Users\Admin\AppData\Local\Temp\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:468
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb7" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe

Filesize
2.7MB

MD5
9bfdb51d9bf8b65fb81ea7083f147695

SHA1
c0eeb27e17afd5c9c2c2887aefadb171657f79bb

SHA256
7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb

SHA512
12820d32910da209fcd21b0d78a821d9e5778800224d9405cc6c55bfa9ea6fc2435f2ab83c130beb07e6c5d393ede8114d9aaa4d82665cbf64fc5b45479ebb0f

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe

Filesize
2.7MB

MD5
4d385bcf06fec7ca7dd64f5dfbe799cc

SHA1
017eaf5ccbc9f7a65d755372e3db0a8e9e3c188a

SHA256
1fb55aaf32ef56bfa568a079315fb8e21a0dbc51006d986202d4016428edc664

SHA512
de809c54401ee777f32fda6e35e83399b3e12e1238c5478c019759d0af03a65a76402a55cdef33c0f87bd33a64611caf62bf7b0b666e01a54e0454827f26e1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQv3iUx6r8.bat

Filesize
226B

MD5
10025a38a0b7d9a2e8676e7d871ef88e

SHA1
206bd3a37213f9ac0cf8e83ea93a299a704c9aa6

SHA256
d61e657c92106f70b338a679d8634bf34f3c931a2585f27ea9e0c3de436313cb

SHA512
63598d13a82d7f504eb5efb0d103146b9aefbfc87ed110a95910bdbd5171f57e9f2de77d46cec17d16550759c476edf66ee47dca4d910dc28d62357782d2fadb

Download Submit
C:\Users\Default\csrss.exe

Filesize
2.7MB

MD5
082c7b8383ae685380a9ee5e06b30840

SHA1
6968f60cc0b21f029f3886b02af7c3b38ab21783

SHA256
a36c0348faf59bf72048cb448cffad1232b8a66477aed7f43496a4165f7e2432

SHA512
4fbf896105fe659ba7ccfb4cc204480aabf3c9a47bbe8efe4bc3144c815e11fcc153256c2e5902d6e0b31656887311dad60fe5f9cf61c2f13ba8090dbcffa48a

Download Submit
C:\Windows\Cursors\smss.exe

Filesize
2.7MB

MD5
595e0d0ff476f56d37e1b62e2ab36f89

SHA1
9b859a1b34f56c0f9177d67b38ad3fb4fce7d5b4

SHA256
9765b208aacb8f05009607f537a4f83ed2887f56c95e86cd395bbb95145fe449

SHA512
ea11aab5dec09cc0da16e16e5ed05803ba670a864ec91eba0e9a582522222fb20ba8c5b788ad0f12a662aecedd0e833b0d59bcf74f65989512398e07b2544037

Download Submit
memory/2392-159-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2392-158-0x0000000000580000-0x00000000005D6000-memory.dmp

Filesize
344KB

Download
memory/2392-157-0x0000000001110000-0x00000000013C4000-memory.dmp

Filesize
2.7MB

Download
memory/2540-7-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/2540-19-0x000000001AA20000-0x000000001AA2C000-memory.dmp

Filesize
48KB

Download
memory/2540-10-0x0000000002240000-0x0000000002296000-memory.dmp

Filesize
344KB

Download
memory/2540-11-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2540-12-0x0000000002220000-0x0000000002232000-memory.dmp

Filesize
72KB

Download
memory/2540-14-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2540-13-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2540-15-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/2540-16-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/2540-17-0x000000001AA00000-0x000000001AA0C000-memory.dmp

Filesize
48KB

Download
memory/2540-18-0x000000001AA10000-0x000000001AA1A000-memory.dmp

Filesize
40KB

Download
memory/2540-9-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2540-8-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/2540-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2540-5-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2540-6-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/2540-147-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2540-154-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-4-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2540-3-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/2540-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-1-0x0000000000050000-0x0000000000304000-memory.dmp

Filesize
2.7MB

Download