dcrat | 5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3925d50ec09cade5278e78250a503852.exe
Size

885KB
MD5

3925d50ec09cade5278e78250a503852
SHA1

2bc4c2fc3e2b24577b7e6901378fa378e6601dc9
SHA256

70095186bd0a9bdafdf96d48c8d17b1539b12fd80480259a5be27c3d5de188cb
SHA512

e93d68eed7a30d6dcbcc3d113b8c0dd80330753b8163f3ca7cfbe484391952e22649d2d33e652b0bf7ffc03afbbee5aaffd076b5dc1426ac802de95554426a3c
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2908	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/2864-1-0x0000000000D00000-0x0000000000DE4000-memory.dmp	dcrat
behavioral19/files/0x000500000001a457-18.dat	dcrat
behavioral19/files/0x000800000001a473-57.dat	dcrat
behavioral19/memory/956-100-0x00000000012F0000-0x00000000013D4000-memory.dmp	dcrat
behavioral19/memory/2376-133-0x00000000003B0000-0x0000000000494000-memory.dmp	dcrat
behavioral19/memory/2792-145-0x00000000008A0000-0x0000000000984000-memory.dmp	dcrat
behavioral19/memory/1580-157-0x00000000010C0000-0x00000000011A4000-memory.dmp	dcrat
behavioral19/memory/2644-191-0x00000000000F0000-0x00000000001D4000-memory.dmp	dcrat
behavioral19/memory/2864-203-0x0000000000D20000-0x0000000000E04000-memory.dmp	dcrat
behavioral19/memory/2860-215-0x00000000012B0000-0x0000000001394000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
956	sppsvc.exe
2336	sppsvc.exe
1668	sppsvc.exe
2376	sppsvc.exe
2792	sppsvc.exe
1580	sppsvc.exe
1056	sppsvc.exe
2844	sppsvc.exe
2644	sppsvc.exe
2864	sppsvc.exe
2860	sppsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX82F3.tmp	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	3925d50ec09cade5278e78250a503852.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8231.tmp	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX82CE.tmp	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX82F2.tmp	3925d50ec09cade5278e78250a503852.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\sppsvc.exe	3925d50ec09cade5278e78250a503852.exe
File created	C:\Windows\ShellNew\0a1fd5f707cd16	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Windows\ShellNew\RCX82CF.tmp	3925d50ec09cade5278e78250a503852.exe
File opened for modification	C:\Windows\ShellNew\RCX82DF.tmp	3925d50ec09cade5278e78250a503852.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2724	schtasks.exe
2288	schtasks.exe
316	schtasks.exe
916	schtasks.exe
2736	schtasks.exe
3008	schtasks.exe
2716	schtasks.exe
2700	schtasks.exe
1184	schtasks.exe
1880	schtasks.exe
2196	schtasks.exe
2100	schtasks.exe
3016	schtasks.exe
2420	schtasks.exe
1036	schtasks.exe
2188	schtasks.exe
628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2864	3925d50ec09cade5278e78250a503852.exe
2864	3925d50ec09cade5278e78250a503852.exe
2864	3925d50ec09cade5278e78250a503852.exe
956	sppsvc.exe
2336	sppsvc.exe
1668	sppsvc.exe
2376	sppsvc.exe
2792	sppsvc.exe
1580	sppsvc.exe
1056	sppsvc.exe
2844	sppsvc.exe
2644	sppsvc.exe
2864	sppsvc.exe
2860	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	3925d50ec09cade5278e78250a503852.exe
Token: SeDebugPrivilege	956	sppsvc.exe
Token: SeDebugPrivilege	2336	sppsvc.exe
Token: SeDebugPrivilege	1668	sppsvc.exe
Token: SeDebugPrivilege	2376	sppsvc.exe
Token: SeDebugPrivilege	2792	sppsvc.exe
Token: SeDebugPrivilege	1580	sppsvc.exe
Token: SeDebugPrivilege	1056	sppsvc.exe
Token: SeDebugPrivilege	2844	sppsvc.exe
Token: SeDebugPrivilege	2644	sppsvc.exe
Token: SeDebugPrivilege	2864	sppsvc.exe
Token: SeDebugPrivilege	2860	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 956	2864	3925d50ec09cade5278e78250a503852.exe	49
PID 2864 wrote to memory of 956	2864	3925d50ec09cade5278e78250a503852.exe	49
PID 2864 wrote to memory of 956	2864	3925d50ec09cade5278e78250a503852.exe	49
PID 2864 wrote to memory of 956	2864	3925d50ec09cade5278e78250a503852.exe	49
PID 2864 wrote to memory of 956	2864	3925d50ec09cade5278e78250a503852.exe	49
PID 956 wrote to memory of 1520	956	sppsvc.exe	50
PID 956 wrote to memory of 1520	956	sppsvc.exe	50
PID 956 wrote to memory of 1520	956	sppsvc.exe	50
PID 956 wrote to memory of 740	956	sppsvc.exe	51
PID 956 wrote to memory of 740	956	sppsvc.exe	51
PID 956 wrote to memory of 740	956	sppsvc.exe	51
PID 1520 wrote to memory of 2336	1520	WScript.exe	52
PID 1520 wrote to memory of 2336	1520	WScript.exe	52
PID 1520 wrote to memory of 2336	1520	WScript.exe	52
PID 1520 wrote to memory of 2336	1520	WScript.exe	52
PID 1520 wrote to memory of 2336	1520	WScript.exe	52
PID 2336 wrote to memory of 852	2336	sppsvc.exe	53
PID 2336 wrote to memory of 852	2336	sppsvc.exe	53
PID 2336 wrote to memory of 852	2336	sppsvc.exe	53
PID 2336 wrote to memory of 3044	2336	sppsvc.exe	54
PID 2336 wrote to memory of 3044	2336	sppsvc.exe	54
PID 2336 wrote to memory of 3044	2336	sppsvc.exe	54
PID 852 wrote to memory of 1668	852	WScript.exe	55
PID 852 wrote to memory of 1668	852	WScript.exe	55
PID 852 wrote to memory of 1668	852	WScript.exe	55
PID 852 wrote to memory of 1668	852	WScript.exe	55
PID 852 wrote to memory of 1668	852	WScript.exe	55
PID 1668 wrote to memory of 3024	1668	sppsvc.exe	56
PID 1668 wrote to memory of 3024	1668	sppsvc.exe	56
PID 1668 wrote to memory of 3024	1668	sppsvc.exe	56
PID 1668 wrote to memory of 2700	1668	sppsvc.exe	57
PID 1668 wrote to memory of 2700	1668	sppsvc.exe	57
PID 1668 wrote to memory of 2700	1668	sppsvc.exe	57
PID 3024 wrote to memory of 2376	3024	WScript.exe	58
PID 3024 wrote to memory of 2376	3024	WScript.exe	58
PID 3024 wrote to memory of 2376	3024	WScript.exe	58
PID 3024 wrote to memory of 2376	3024	WScript.exe	58
PID 3024 wrote to memory of 2376	3024	WScript.exe	58
PID 2376 wrote to memory of 1124	2376	sppsvc.exe	59
PID 2376 wrote to memory of 1124	2376	sppsvc.exe	59
PID 2376 wrote to memory of 1124	2376	sppsvc.exe	59
PID 2376 wrote to memory of 1144	2376	sppsvc.exe	60
PID 2376 wrote to memory of 1144	2376	sppsvc.exe	60
PID 2376 wrote to memory of 1144	2376	sppsvc.exe	60
PID 1124 wrote to memory of 2792	1124	WScript.exe	61
PID 1124 wrote to memory of 2792	1124	WScript.exe	61
PID 1124 wrote to memory of 2792	1124	WScript.exe	61
PID 1124 wrote to memory of 2792	1124	WScript.exe	61
PID 1124 wrote to memory of 2792	1124	WScript.exe	61
PID 2792 wrote to memory of 1880	2792	sppsvc.exe	62
PID 2792 wrote to memory of 1880	2792	sppsvc.exe	62
PID 2792 wrote to memory of 1880	2792	sppsvc.exe	62
PID 2792 wrote to memory of 1800	2792	sppsvc.exe	63
PID 2792 wrote to memory of 1800	2792	sppsvc.exe	63
PID 2792 wrote to memory of 1800	2792	sppsvc.exe	63
PID 1880 wrote to memory of 1580	1880	WScript.exe	64
PID 1880 wrote to memory of 1580	1880	WScript.exe	64
PID 1880 wrote to memory of 1580	1880	WScript.exe	64
PID 1880 wrote to memory of 1580	1880	WScript.exe	64
PID 1880 wrote to memory of 1580	1880	WScript.exe	64
PID 1580 wrote to memory of 1660	1580	sppsvc.exe	65
PID 1580 wrote to memory of 1660	1580	sppsvc.exe	65
PID 1580 wrote to memory of 1660	1580	sppsvc.exe	65
PID 1580 wrote to memory of 896	1580	sppsvc.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3925d50ec09cade5278e78250a503852.exe
"C:\Users\Admin\AppData\Local\Temp\3925d50ec09cade5278e78250a503852.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\ShellNew\sppsvc.exe
  "C:\Windows\ShellNew\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317d8b42-6504-42e2-be3d-f42b0723f038.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\ShellNew\sppsvc.exe
      C:\Windows\ShellNew\sppsvc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500c2cb7-23d9-4d83-9431-1c9e028eb0e0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e626fcad-3efd-4240-b78e-fd7155550ea7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5774a42c-4a92-4f9e-802e-9dd28628aab7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c6876aa-a532-4526-aa3f-6b3f3b1600e4.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be19e966-6f1c-413f-a1c1-4de9ba83108a.vbs"
        13⤵
        
        PID:1660
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bff8c115-f747-437d-b60d-66d355584d8e.vbs"
        15⤵
        
        PID:2928
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a8ee767-00b3-4c90-a9dd-2cba671b5707.vbs"
        17⤵
        
        PID:2676
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdf28c71-ff3c-4289-9259-bda50984b388.vbs"
        19⤵
        
        PID:2428
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1d22656-bce9-47cb-a71b-8991b9c441af.vbs"
        21⤵
        
        PID:1792
        
        C:\Windows\ShellNew\sppsvc.exe
        
        C:\Windows\ShellNew\sppsvc.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7338c50f-c8dc-483f-ad82-0fa2856415e3.vbs"
        23⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aab5f009-abd2-41a9-9a9d-b8be7358bb03.vbs"
        23⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83447305-96a1-4978-adb4-acaa388553fc.vbs"
        21⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a98f7de-1a8b-48f0-9aff-58ebaaa910cc.vbs"
        19⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8f05908-998f-48b1-8537-aa470428d773.vbs"
        17⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61d1ce1-8226-431e-87b3-3e205a7e3ca6.vbs"
        15⤵
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ad4829-b840-4b4a-b51b-bd9920a00730.vbs"
        13⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab9e609d-bd7e-44f2-8118-54c7d0290b50.vbs"
        11⤵
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\097d36ae-7151-4132-943e-911cf1eccd0e.vbs"
        9⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e310131-12e5-4714-af95-ba2a2efb4158.vbs"
        7⤵
        
        PID:2700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15465c23-5476-4090-bda5-22515d0786af.vbs"
        5⤵
        
        PID:3044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04bc80cb-71de-46da-b0fb-2e4c4dfa49bb.vbs"
    3⤵
    PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe

Filesize
885KB

MD5
9c7a05784e255bf838447cbd08fc37fc

SHA1
c369a5be63ad9d9531af6f173dc4dfa72c94909f

SHA256
9dcb78ab67830cf31dda5896e374024edd3e9592035610d1078e575930f938a4

SHA512
acb5c527eb0ec687280d4a286f906f2f04e1c3c69a0db6c8c87b7937072b5979ac4581bcd4cbe8eb81bb19f178c1f47de99ce9d0881c204bc03e93c504f02ce4

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe

Filesize
885KB

MD5
3925d50ec09cade5278e78250a503852

SHA1
2bc4c2fc3e2b24577b7e6901378fa378e6601dc9

SHA256
70095186bd0a9bdafdf96d48c8d17b1539b12fd80480259a5be27c3d5de188cb

SHA512
e93d68eed7a30d6dcbcc3d113b8c0dd80330753b8163f3ca7cfbe484391952e22649d2d33e652b0bf7ffc03afbbee5aaffd076b5dc1426ac802de95554426a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\04bc80cb-71de-46da-b0fb-2e4c4dfa49bb.vbs

Filesize
482B

MD5
3c52d2934477b580e1ed3a9678c2e399

SHA1
a48ac2a8d84885030a787a7baeaed55234b042e1

SHA256
f880f8e3a40fd4be8a9d42d848343b507d3ea07c03ea7a2c8a88e1f5350dc8f1

SHA512
371fadedfbd1cb11911ed4862316a21bd56a3eb07dd9ac0a05c27af7f91a7420cc462a3c89aa7c1d696b972865454f36d33b57989b177de15fcad1b7c921b2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\317d8b42-6504-42e2-be3d-f42b0723f038.vbs

Filesize
705B

MD5
529695ba252bd1b2855faf0a5134a09c

SHA1
196436cb1ac2531b8d2922ae5f12a15694b3e463

SHA256
1a482e53cd911f909e1b1714b4c4f68f668a109a8a1c32bf2f39084b6cc63e33

SHA512
13ae371b7852b830b3f302268fb024c623c3e120c69ea6ca8fd004a1c166bdb79ed1db46b29cd9dd8085b222a7c3fcec9ceb07619b3ff04214f0a7cd4d372ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\500c2cb7-23d9-4d83-9431-1c9e028eb0e0.vbs

Filesize
706B

MD5
342c07d413fe9ac65e5d9151769f0964

SHA1
0eb33932b1f0f4ba55fb8fcc0e481ad5cbe8aba8

SHA256
b65a4958aa8da98676e12c27b0495b53f7ee245ce69b9b98a32bf40419d91e25

SHA512
1b980ec6184e37c74ee83d1a67cb37e6643848d96b420979e259712171ad7cbb525cb4da6fff3a130a131e1edda3cb64e9e82b81e30781e03e35c8a0cfba24cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5774a42c-4a92-4f9e-802e-9dd28628aab7.vbs

Filesize
706B

MD5
844580937ca4a6eff97f28aefa2d61fe

SHA1
a2ff2e46ef71fec54262719e8021c90bbba21420

SHA256
7fde561d61f75c836739cb066fbb13cc0546a72b131ab8c369751c827a0da563

SHA512
374e65e055557a484298dcb4fbee866a0c1fdcb58460a73c40353118e4f8f0069184cc9832e8e9b635ecd820e1996610af6571c53dbd8ba52e99c18496b64fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a8ee767-00b3-4c90-a9dd-2cba671b5707.vbs

Filesize
706B

MD5
78849e7267ea6764038b7c76672a4b2f

SHA1
ce662479786a8ebe16a0f60185786e202d840aaa

SHA256
327e53ffa59f6ff927890490aff862910874bc170824d3db6412e11b12d7061a

SHA512
2b90628fef6669d9173c6b04eb6a5e5a6736f2532145001ab4ff126876b94123b95d93dd0be6fcaa366ae4eea93e424cae081501ed2629559c703e5fd1271bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\7338c50f-c8dc-483f-ad82-0fa2856415e3.vbs

Filesize
706B

MD5
9f7111cf97113e7a19e2d01c3f641562

SHA1
02e3d115ccbe21d2eb604c3c867f6c62610658a1

SHA256
30018bbab5b869d09e8149889fede2f219a174d1bcfc3d0239ef5dbeb9de65d2

SHA512
fb5259cf764485683021729472ae8d0b5fcf1d2037a8dbf6dafd4330847c43bc651c06ea22b8fb061ec0fdfcd9a619492a5bf2b76cae62204676b01e4f3ebe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c6876aa-a532-4526-aa3f-6b3f3b1600e4.vbs

Filesize
706B

MD5
e497c531ea05d25d1c66259f8c64400e

SHA1
cb2e016fb1d6520992d7355629e3248c1d689349

SHA256
0bcd21e47e146fb7c8dd2a975d26da1d5236d4e3e7ca62c0043d1165f6ea0454

SHA512
08e80db7d35ac6b60f267f64629c163c02035df68d65c2e0581d6c35005fe4353666f06b6b313b5a6f525451700079bbe4f5c5a17b1790d01eea4b35bfbcb8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1d22656-bce9-47cb-a71b-8991b9c441af.vbs

Filesize
706B

MD5
8daa358118149087094cff0f79335582

SHA1
647f9ba73e8681820978022c1ab9b5ef83125754

SHA256
826d779ed68c5080a18c35a9891bf54437f78882e0fef097e3ec9e8b7c19bd7e

SHA512
caa330af38a9287872788005655c28cc7ca9c35b9fcc5ed0e2f11327bac1bf249ce42d3a91fa96c187cbd9b8dc40bbcc3d2ad12524733c06b28331cf62b45cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\be19e966-6f1c-413f-a1c1-4de9ba83108a.vbs

Filesize
706B

MD5
7573a2a44d6c2ece6fd4ae3d5eb56fc2

SHA1
e4c98a4ae9fbf8c1bc709a6ac49dedebb96c82d3

SHA256
216693d60d32244fecc668c46d561b71e745a5e4ecc0dfc5cb865eb1f966377a

SHA512
b51f390eb403165dd8a83135dd33c6f6e765a3d26eb6a508844a8dbca6783ba7049a314af0d37016c6eb10b5c6924ae0891f4614466bef1e52bce90d13ead4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bff8c115-f747-437d-b60d-66d355584d8e.vbs

Filesize
706B

MD5
45497f174f8df5742e3cba84bb626362

SHA1
40fc171917831ff84b518f7e86cc1b93cf8290b6

SHA256
bc07a9e973d07eb95797d2d82effea6f269b8d889259e3ff36390b9b4cd3f1e9

SHA512
95f378e3b02d26e06699dce73f8b1071017c2feaa1c971be93bd46b0eeb678f2cf5a80fc36fa4fe74888afd69cabe1ccb493ffb45f17ec21621507cf3b76859b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf28c71-ff3c-4289-9259-bda50984b388.vbs

Filesize
706B

MD5
dbc48ef52f482b2a52e8d7f1e0bd7c87

SHA1
9afb36253e750f55facc573cb164b30e4cf27761

SHA256
cf69f520727f128ff996f0453e175ffd33488d319e73173c5fff81b05f629866

SHA512
cade27f6b18042ec9aa8f3dd055529da2ec1cb957d2fb28059c68d673152d0dc99e87923d7cc545c5176a3d13ee1a91cc830fa9c0335433812ba4dacab3f228b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e626fcad-3efd-4240-b78e-fd7155550ea7.vbs

Filesize
706B

MD5
f2464b775c3554845b75b3264d78e951

SHA1
d70e65e8be2f07982da15fad0ac11651b6c038f2

SHA256
0abe48f696bbeaedc104f04616361a98517cde2ef97e84216c0a6cc4870fd562

SHA512
0c0ce6e2dcad492170a8ddbd16d781d734dcb27f7636084440b3eeb0a79ef8caac1279d1075da3b124526773381ba1b13ca38aae74316cdc22c387610329dd03

Download Submit
memory/956-100-0x00000000012F0000-0x00000000013D4000-memory.dmp

Filesize
912KB

Download
memory/1580-157-0x00000000010C0000-0x00000000011A4000-memory.dmp

Filesize
912KB

Download
memory/2376-133-0x00000000003B0000-0x0000000000494000-memory.dmp

Filesize
912KB

Download
memory/2644-191-0x00000000000F0000-0x00000000001D4000-memory.dmp

Filesize
912KB

Download
memory/2792-145-0x00000000008A0000-0x0000000000984000-memory.dmp

Filesize
912KB

Download
memory/2860-215-0x00000000012B0000-0x0000000001394000-memory.dmp

Filesize
912KB

Download
memory/2864-6-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2864-4-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2864-5-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/2864-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2864-9-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2864-3-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2864-7-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/2864-8-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2864-203-0x0000000000D20000-0x0000000000E04000-memory.dmp

Filesize
912KB

Download
memory/2864-2-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-99-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-1-0x0000000000D00000-0x0000000000DE4000-memory.dmp

Filesize
912KB

Download