dcrat | 525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c79c2f450da5e97631c33ddce170bb4.exe
Size

999KB
MD5

6c79c2f450da5e97631c33ddce170bb4
SHA1

b0356c1821709ae9a5fd99e6573125fc8b58f2b4
SHA256

152965f868c6784be4f3845d34c32e9159566067bd8a7265d57c7a7003c24c75
SHA512

1372d8e9aced9e4f6e1ae0f7ec503e7e956028f59ec3ee7b9e5109938e8683d8eaae2a82b729640d21164a12b2cbeed2cf991d5c1feaa8bda2ece21887b1a757
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 58 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2808	schtasks.exe
		1756	schtasks.exe
		2300	schtasks.exe
		2696	schtasks.exe
		2060	schtasks.exe
		2268	schtasks.exe
		2916	schtasks.exe
		1216	schtasks.exe
		1868	schtasks.exe
		1284	schtasks.exe
		2044	schtasks.exe
		2100	schtasks.exe
		1724	schtasks.exe
		380	schtasks.exe
		2604	schtasks.exe
		2736	schtasks.exe
		2068	schtasks.exe
		2472	schtasks.exe
		2228	schtasks.exe
		2332	schtasks.exe
		2784	schtasks.exe
		2640	schtasks.exe
		3016	schtasks.exe
		3040	schtasks.exe
		1564	schtasks.exe
		2740	schtasks.exe
		484	schtasks.exe
		2200	schtasks.exe
		964	schtasks.exe
		2572	schtasks.exe
		2180	schtasks.exe
		2292	schtasks.exe
		2500	schtasks.exe
		2848	schtasks.exe
		816	schtasks.exe
		1592	schtasks.exe
File created	C:\Program Files (x86)\Google\explorer.exe		6c79c2f450da5e97631c33ddce170bb4.exe
		2896	schtasks.exe
		2712	schtasks.exe
		2752	schtasks.exe
File created	C:\Program Files (x86)\Google\7a0fd90576e088		6c79c2f450da5e97631c33ddce170bb4.exe
		592	schtasks.exe
		2964	schtasks.exe
		2092	schtasks.exe
		2624	schtasks.exe
		2004	schtasks.exe
		808	schtasks.exe
		2744	schtasks.exe
		2240	schtasks.exe
		444	schtasks.exe
		640	schtasks.exe
		1460	schtasks.exe
		2540	schtasks.exe
		1860	schtasks.exe
		2968	schtasks.exe
		1588	schtasks.exe
		1920	schtasks.exe
		2428	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\sppsvc.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\6c79c2f450da5e97631c33ddce170bb4.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\", \"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\", \"C:\\Users\\All Users\\lsm.exe\", \"C:\\Users\\Admin\\Downloads\\services.exe\", \"C:\\Users\\Admin\\Downloads\\Idle.exe\", \"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\", \"C:\\Users\\Public\\Recorded TV\\Sample Media\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\6c79c2f450da5e97631c33ddce170bb4.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Idle.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Users\\All Users\\explorer.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe

Process spawned unexpected child process 56 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2032	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2032	schtasks.exe	30

Executes dropped EXE 1 IoCs

pid	Process
996	services.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Google\\explorer.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\ProgramData\\Adobe\\Updater6\\WmiPrvSE.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Downloads\\Idle.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\sppsvc.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\explorer.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Documentation\\csrss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\wininit.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\lsm.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Downloads\\services.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\csrss.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c79c2f450da5e97631c33ddce170bb4 = "\"C:\\Users\\All Users\\Microsoft\\Windows\\6c79c2f450da5e97631c33ddce170bb4.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Idle.exe\""	6c79c2f450da5e97631c33ddce170bb4.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe	6c79c2f450da5e97631c33ddce170bb4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\886983d96e3d3e	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Google\RCXA9E9.tmp	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe	6c79c2f450da5e97631c33ddce170bb4.exe
File created	C:\Program Files (x86)\Google\7a0fd90576e088	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Google\RCXA9E8.tmp	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\RCXB20B.tmp	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\RCXB20C.tmp	6c79c2f450da5e97631c33ddce170bb4.exe
File created	C:\Program Files (x86)\Google\explorer.exe	6c79c2f450da5e97631c33ddce170bb4.exe
File opened for modification	C:\Program Files (x86)\Google\explorer.exe	6c79c2f450da5e97631c33ddce170bb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 56 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
2968	schtasks.exe
2964	schtasks.exe
640	schtasks.exe
1284	schtasks.exe
2540	schtasks.exe
1592	schtasks.exe
2624	schtasks.exe
2004	schtasks.exe
1868	schtasks.exe
1588	schtasks.exe
816	schtasks.exe
2428	schtasks.exe
2332	schtasks.exe
2712	schtasks.exe
2740	schtasks.exe
2896	schtasks.exe
2640	schtasks.exe
2060	schtasks.exe
808	schtasks.exe
484	schtasks.exe
2092	schtasks.exe
2784	schtasks.exe
2100	schtasks.exe
2044	schtasks.exe
1756	schtasks.exe
2240	schtasks.exe
2068	schtasks.exe
2200	schtasks.exe
2472	schtasks.exe
2744	schtasks.exe
2268	schtasks.exe
1860	schtasks.exe
3016	schtasks.exe
2292	schtasks.exe
2228	schtasks.exe
1460	schtasks.exe
1920	schtasks.exe
2752	schtasks.exe
380	schtasks.exe
1216	schtasks.exe
2696	schtasks.exe
592	schtasks.exe
444	schtasks.exe
3040	schtasks.exe
964	schtasks.exe
2808	schtasks.exe
2848	schtasks.exe
1724	schtasks.exe
2916	schtasks.exe
1564	schtasks.exe
2300	schtasks.exe
2572	schtasks.exe
2180	schtasks.exe
2736	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1192	6c79c2f450da5e97631c33ddce170bb4.exe
1192	6c79c2f450da5e97631c33ddce170bb4.exe
1192	6c79c2f450da5e97631c33ddce170bb4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	6c79c2f450da5e97631c33ddce170bb4.exe
Token: SeDebugPrivilege	996	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 996	1192	6c79c2f450da5e97631c33ddce170bb4.exe	87
PID 1192 wrote to memory of 996	1192	6c79c2f450da5e97631c33ddce170bb4.exe	87
PID 1192 wrote to memory of 996	1192	6c79c2f450da5e97631c33ddce170bb4.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c79c2f450da5e97631c33ddce170bb4.exe
"C:\Users\Admin\AppData\Local\Temp\6c79c2f450da5e97631c33ddce170bb4.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\Downloads\services.exe
  "C:\Users\Admin\Downloads\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc MINUTE /mo 12 /tr "'C:\ProgramData\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONSTART /tr "'C:\ProgramData\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\ProgramData\Adobe\Updater6\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONSTART /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONSTART /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\Users\Admin\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONSTART /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Windows\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb4" /sc ONSTART /tr "'C:\Users\All Users\Microsoft\Windows\6c79c2f450da5e97631c33ddce170bb4.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c79c2f450da5e97631c33ddce170bb46" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Windows\6c79c2f450da5e97631c33ddce170bb4.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe

Filesize
999KB

MD5
6c79c2f450da5e97631c33ddce170bb4

SHA1
b0356c1821709ae9a5fd99e6573125fc8b58f2b4

SHA256
152965f868c6784be4f3845d34c32e9159566067bd8a7265d57c7a7003c24c75

SHA512
1372d8e9aced9e4f6e1ae0f7ec503e7e956028f59ec3ee7b9e5109938e8683d8eaae2a82b729640d21164a12b2cbeed2cf991d5c1feaa8bda2ece21887b1a757

Download Submit
C:\ProgramData\lsm.exe

Filesize
999KB

MD5
204d4f3bec20bd449c48954defa768fd

SHA1
e738d9d1497278d1421e09e3ce1b590f8079b6ab

SHA256
9fb4a5ac9621ac4b73a9803344d20629f00f2d6c40fe6e1b5a97906a306224cd

SHA512
1ef1459f0b101b4e7b486808a04731051f40650d7da7757cb75fdf90d27f4fad0e8c15e4662790d29193380b933d7c0cd829c7a84ef675263fc51a6ca4e74d6c

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe

Filesize
999KB

MD5
55320f9925025374a835830fe243094b

SHA1
99373de5c11f345a53bc3c34139b6bae6ef7927e

SHA256
4d523fc558ee23237786dbbc0204f9f930e8c4f765e4d3a46453ce7bcf0f27db

SHA512
5d37ad5601597dc31042910d7bd05e862b3d44d51164f34548f7d737893fa6568ebeeed69a29742c1ccb61bc79f1d2b1ad0e5b80c9f767d163b1662bd564fd89

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe

Filesize
999KB

MD5
ed4c38b9f61c734742cfd1b29df0a7ee

SHA1
abc2a3cd045a3cdba41f61ea3b3b53345b510f33

SHA256
9715e09d28ab0ca3ab6f1ef8516cabde3a355ccd7c8a48abf41e679ada88d2c4

SHA512
9db3c0a06fc7344525768e7ab3292d518549e2bb000d7db3d0fda7399e75d34694af9cd648f45e62bbbcc1e47db20cb12b68819c33b84accdd8eb694b639864e

Download Submit
memory/996-215-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/1192-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1192-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1192-9-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1192-8-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1192-6-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1192-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1192-7-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1192-10-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/1192-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/1192-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1192-195-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1192-207-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1192-1-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1192-216-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download