dcrat | 249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df04d21f8f4edc307cb444b18e8f201c.exe
Size

999KB
MD5

df04d21f8f4edc307cb444b18e8f201c
SHA1

9008920285ae41fe099cbfd11baa15e3909d140f
SHA256

51ef466bd86c5e96bff1611da1f13ec2691923618e9db5c490f6104cb95cd6d1
SHA512

a8e76e398d3de32aef34e3d424d52dd33a073a261958ddc8b6dff62941288aaf359e1d3604de025f021789f2eb70b932cb69f09e4b6aa79e5ff3528d4315c52c
SSDEEP

12288:P9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:P9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Default\\PrintHood\\csrss.exe\", \"C:\\ProgramData\\Favorites\\winlogon.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\smss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Default\\PrintHood\\csrss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\csrss.exe\", \"C:\\Users\\Default User\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Default\\PrintHood\\csrss.exe\", \"C:\\ProgramData\\Favorites\\winlogon.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe

Process spawned unexpected child process 31 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2640	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2640	schtasks.exe	31

Executes dropped EXE 1 IoCs

pid	Process
1588	smss.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Documents\\csrss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Mail\\winlogon.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WMIADAP.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\ProgramData\\Favorites\\winlogon.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Adobe\\Updater6\\smss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default User\\dwm.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\PrintHood\\csrss.exe\""	df04d21f8f4edc307cb444b18e8f201c.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	df04d21f8f4edc307cb444b18e8f201c.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	df04d21f8f4edc307cb444b18e8f201c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEF83.tmp	df04d21f8f4edc307cb444b18e8f201c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEF84.tmp	df04d21f8f4edc307cb444b18e8f201c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\winlogon.exe	df04d21f8f4edc307cb444b18e8f201c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 32 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
2748	schtasks.exe
2572	schtasks.exe
1008	schtasks.exe
2776	schtasks.exe
2408	schtasks.exe
2852	schtasks.exe
2520	schtasks.exe
2336	schtasks.exe
2564	schtasks.exe
2004	schtasks.exe
2648	schtasks.exe
300	schtasks.exe
784	schtasks.exe
2552	schtasks.exe
2996	schtasks.exe
2024	schtasks.exe
2292	schtasks.exe
1716	schtasks.exe
2612	schtasks.exe
2684	schtasks.exe
2368	schtasks.exe
796	schtasks.exe
1764	schtasks.exe
2624	schtasks.exe
2656	schtasks.exe
1792	schtasks.exe
1936	schtasks.exe
2804	schtasks.exe
2824	schtasks.exe
2544	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2936	df04d21f8f4edc307cb444b18e8f201c.exe
2936	df04d21f8f4edc307cb444b18e8f201c.exe
2936	df04d21f8f4edc307cb444b18e8f201c.exe
2936	df04d21f8f4edc307cb444b18e8f201c.exe
2936	df04d21f8f4edc307cb444b18e8f201c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	df04d21f8f4edc307cb444b18e8f201c.exe
Token: SeDebugPrivilege	1588	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1328	2936	df04d21f8f4edc307cb444b18e8f201c.exe	64
PID 2936 wrote to memory of 1328	2936	df04d21f8f4edc307cb444b18e8f201c.exe	64
PID 2936 wrote to memory of 1328	2936	df04d21f8f4edc307cb444b18e8f201c.exe	64
PID 1328 wrote to memory of 872	1328	cmd.exe	66
PID 1328 wrote to memory of 872	1328	cmd.exe	66
PID 1328 wrote to memory of 872	1328	cmd.exe	66
PID 1328 wrote to memory of 1588	1328	cmd.exe	67
PID 1328 wrote to memory of 1588	1328	cmd.exe	67
PID 1328 wrote to memory of 1588	1328	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\df04d21f8f4edc307cb444b18e8f201c.exe
"C:\Users\Admin\AppData\Local\Temp\df04d21f8f4edc307cb444b18e8f201c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW2xHJWZHv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:872
- - C:\ProgramData\Adobe\Updater6\smss.exe
    "C:\ProgramData\Adobe\Updater6\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 11 /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\ProgramData\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\ProgramData\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Users\Default\PrintHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc MINUTE /mo 5 /tr "'C:\ProgramData\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\ProgramData\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONSTART /tr "'C:\ProgramData\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\ProgramData\Favorites\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 13 /tr "'C:\ProgramData\Adobe\Updater6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\ProgramData\Adobe\Updater6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
999KB

MD5
df04d21f8f4edc307cb444b18e8f201c

SHA1
9008920285ae41fe099cbfd11baa15e3909d140f

SHA256
51ef466bd86c5e96bff1611da1f13ec2691923618e9db5c490f6104cb95cd6d1

SHA512
a8e76e398d3de32aef34e3d424d52dd33a073a261958ddc8b6dff62941288aaf359e1d3604de025f021789f2eb70b932cb69f09e4b6aa79e5ff3528d4315c52c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
999KB

MD5
0f8d91ddc25e466f5454212c42cc706f

SHA1
eba3d12c28dfda7372368511ff9ac2c4c1e3e03f

SHA256
00a11cb683f3e2c8bbbaf00dae09d9a94fbaf862033731cc349b6a9f7d815e26

SHA512
99b212141310fba128be46261d3bf5d2fa896ae79b35f016a1af07c76229af4aad8a2e078761adc89897449a7078f07dd95fca169d25c57d936c6256b82fda0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW2xHJWZHv.bat

Filesize
202B

MD5
48d56323c805cb0a0df5b68396db50e8

SHA1
e3639dd33117b204c626006434ced81449f4bb15

SHA256
55d8e0d10933f772600b20d3af29557c6f79e0edaf3636a31bca11c8f9b3a0f4

SHA512
9b5004813bd780ee6a004034462477f3e6f5ea111b50e672d2b36521aab6617e83ae0e333cb6643f162f3e465f9a3636cd836385160cadc65c1cefdb81c6c9da

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\csrss.exe

Filesize
999KB

MD5
6e13fad6a3eb03e4b50dbfd538c008e1

SHA1
fa89e8ea1f10804dae0f8c2f77ea8139b72b604b

SHA256
2db0a2df77186e19cc5a42efcaba5e34d709ddf2409938a2799b0f3b99ee07b0

SHA512
fa901f4cb614f2cfbd59862ea5f22f758b42aa7b2be6f0e68ea787ac4b14097b8a6293a389278dab240ead4acca1dcd336d4c02d3eccd380e784d6cfdde40b9b

Download Submit
C:\Users\Public\Documents\csrss.exe

Filesize
999KB

MD5
816245f0e527e540943f8ddcae7b219b

SHA1
0894fde284d0e96293a05f027d48e9afd44c30d7

SHA256
ad979b4d4b8ffe324954ff32130b06d04899a14ee1e059cdc3dedd9a82d784c8

SHA512
ec214072021249be20023ff7200ee5f37cd810b22f7170f226a8ff6266b4857d067b7a5cfdce45258712855a2289a653c68d54850a53b57a2f733e7b47864a70

Download Submit
C:\Users\Public\Favorites\winlogon.exe

Filesize
999KB

MD5
d4709c44114f8dfe37509dcb40a9692f

SHA1
6b7d0fd40d627b5addbba26ae5f279a53569bdb9

SHA256
8b0bbe26684f5b2e9de3df4c9e5ecc0f231021fce2d91da47ce6982c5c547d9d

SHA512
2b25eacf6aebd26fd5a6f118a364edb5aa17e13625b9429cb4c1b7e289ff0b8142745b6f1e23d8ce0539506a12dcafa45e0a99153deb20b17b9775e160169aea

Download Submit
memory/1588-133-0x0000000001340000-0x0000000001440000-memory.dmp

Filesize
1024KB

Download
memory/2936-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2936-8-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2936-10-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2936-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2936-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2936-7-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2936-6-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2936-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/2936-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2936-130-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2936-1-0x0000000000EC0000-0x0000000000FC0000-memory.dmp

Filesize
1024KB

Download