dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
59s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	5100	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	5100	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/1888-1-0x00000000004A0000-0x0000000000642000-memory.dmp	dcrat
behavioral20/files/0x0008000000024102-29.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4624	powershell.exe
456	powershell.exe
760	powershell.exe
3444	powershell.exe
4448	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 6 IoCs

pid	Process
1544	csrss.exe
2108	csrss.exe
60	csrss.exe
1192	csrss.exe
3244	csrss.exe
2660	csrss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXAA5E.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Uninstall Information\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\dotnet\swidtag\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXA858.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\dotnet\swidtag\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\dotnet\swidtag\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXA859.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAA5D.tmp	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
952	schtasks.exe
4404	schtasks.exe
4796	schtasks.exe
3752	schtasks.exe
888	schtasks.exe
3184	schtasks.exe
4668	schtasks.exe
436	schtasks.exe
4676	schtasks.exe
2472	schtasks.exe
1544	schtasks.exe
3564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1888	1f0343adab1970d928320ce2aa587fd3.exe
1888	1f0343adab1970d928320ce2aa587fd3.exe
1888	1f0343adab1970d928320ce2aa587fd3.exe
4624	powershell.exe
4624	powershell.exe
456	powershell.exe
456	powershell.exe
3444	powershell.exe
3444	powershell.exe
760	powershell.exe
760	powershell.exe
4448	powershell.exe
4448	powershell.exe
760	powershell.exe
4624	powershell.exe
456	powershell.exe
3444	powershell.exe
4448	powershell.exe
1544	csrss.exe
2108	csrss.exe
60	csrss.exe
1192	csrss.exe
1192	csrss.exe
3244	csrss.exe
3244	csrss.exe
2660	csrss.exe
2660	csrss.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1544	csrss.exe
Token: SeDebugPrivilege	2108	csrss.exe
Token: SeDebugPrivilege	60	csrss.exe
Token: SeDebugPrivilege	1192	csrss.exe
Token: SeDebugPrivilege	3244	csrss.exe
Token: SeDebugPrivilege	2660	csrss.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4624	1888	1f0343adab1970d928320ce2aa587fd3.exe	102
PID 1888 wrote to memory of 4624	1888	1f0343adab1970d928320ce2aa587fd3.exe	102
PID 1888 wrote to memory of 456	1888	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 1888 wrote to memory of 456	1888	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 1888 wrote to memory of 760	1888	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 1888 wrote to memory of 760	1888	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 1888 wrote to memory of 3444	1888	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 1888 wrote to memory of 3444	1888	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 1888 wrote to memory of 4448	1888	1f0343adab1970d928320ce2aa587fd3.exe	106
PID 1888 wrote to memory of 4448	1888	1f0343adab1970d928320ce2aa587fd3.exe	106
PID 1888 wrote to memory of 1544	1888	1f0343adab1970d928320ce2aa587fd3.exe	112
PID 1888 wrote to memory of 1544	1888	1f0343adab1970d928320ce2aa587fd3.exe	112
PID 1544 wrote to memory of 4280	1544	csrss.exe	113
PID 1544 wrote to memory of 4280	1544	csrss.exe	113
PID 1544 wrote to memory of 2456	1544	csrss.exe	114
PID 1544 wrote to memory of 2456	1544	csrss.exe	114
PID 4280 wrote to memory of 2108	4280	WScript.exe	118
PID 4280 wrote to memory of 2108	4280	WScript.exe	118
PID 2108 wrote to memory of 2112	2108	csrss.exe	120
PID 2108 wrote to memory of 2112	2108	csrss.exe	120
PID 2108 wrote to memory of 2284	2108	csrss.exe	121
PID 2108 wrote to memory of 2284	2108	csrss.exe	121
PID 2112 wrote to memory of 60	2112	WScript.exe	124
PID 2112 wrote to memory of 60	2112	WScript.exe	124
PID 60 wrote to memory of 432	60	csrss.exe	125
PID 60 wrote to memory of 432	60	csrss.exe	125
PID 60 wrote to memory of 2216	60	csrss.exe	126
PID 60 wrote to memory of 2216	60	csrss.exe	126
PID 432 wrote to memory of 1192	432	WScript.exe	130
PID 432 wrote to memory of 1192	432	WScript.exe	130
PID 1192 wrote to memory of 3044	1192	csrss.exe	131
PID 1192 wrote to memory of 3044	1192	csrss.exe	131
PID 1192 wrote to memory of 2052	1192	csrss.exe	132
PID 1192 wrote to memory of 2052	1192	csrss.exe	132
PID 3044 wrote to memory of 3244	3044	WScript.exe	133
PID 3044 wrote to memory of 3244	3044	WScript.exe	133
PID 3244 wrote to memory of 3756	3244	csrss.exe	134
PID 3244 wrote to memory of 3756	3244	csrss.exe	134
PID 3244 wrote to memory of 1624	3244	csrss.exe	135
PID 3244 wrote to memory of 1624	3244	csrss.exe	135
PID 3756 wrote to memory of 2660	3756	WScript.exe	137
PID 3756 wrote to memory of 2660	3756	WScript.exe	137
PID 2660 wrote to memory of 3188	2660	csrss.exe	138
PID 2660 wrote to memory of 3188	2660	csrss.exe	138
PID 2660 wrote to memory of 1576	2660	csrss.exe	139
PID 2660 wrote to memory of 1576	2660	csrss.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Recovery\WindowsRE\csrss.exe
  "C:\Recovery\WindowsRE\csrss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31f002e9-3808-42b2-9ccc-6f2eaba008ea.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Recovery\WindowsRE\csrss.exe
      C:\Recovery\WindowsRE\csrss.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d9c94db-7c80-4d2e-858b-6b75c1423341.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69240a6b-b384-4191-b2fe-46eede6a8b76.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e86fdf7b-732a-4861-be11-126ca664f2e0.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0424e719-c441-45bb-b616-08784d41ec31.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e030cc8-82dc-454e-b8b3-26977a453fad.vbs"
        13⤵
        
        PID:3188
        
        C:\Recovery\WindowsRE\csrss.exe
        
        C:\Recovery\WindowsRE\csrss.exe
        14⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c184c92e-2bde-427f-a8c2-038f68498d32.vbs"
        13⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8746fbb-efe2-483c-8068-78384fe0aad0.vbs"
        11⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9242d64f-f8a9-4c66-86dd-83f7fbabfa72.vbs"
        9⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4052bd45-6440-4cf0-bd05-149e4204491e.vbs"
        7⤵
        
        PID:2216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b43a6e39-16b9-47c3-bb95-b3d231ee9f8f.vbs"
        5⤵
        
        PID:2284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d83b7721-468f-40e5-9dda-051c0e378b19.vbs"
    3⤵
    PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b9ebff96ce87bb2948f7decf425a335

SHA1
3172582f4a97c15d0c5162c547fe81b811de8e74

SHA256
9e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c

SHA512
4eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c558a929f5c991ed7363b323d4eb0b90

SHA1
2563cd152880eab5bc780933905f854b29c9d566

SHA256
04e3abee01c1053e991b06858069e06ffc9722659cf3d6e024f5d1f34c05a474

SHA512
06f804d44298137f74cfcd30c64661a30c6c27ef00f370485d98cfdbcc43e23ea1a8ac1c9d7fd65af08671bbe466dcde017b174912c17609499490971763b7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0424e719-c441-45bb-b616-08784d41ec31.vbs

Filesize
707B

MD5
f2f31bc1ba54ad609377d1179ddb59a6

SHA1
daf0d914a4132641b5daff513505d2181c91cb09

SHA256
0c89e5e427fad88953529663b082964b794763200c08f95afa60e398518e788b

SHA512
ba092f5a372c1b77ec9db9b5c65d7988bc350efe0571f745ed0c58db10bc520d80df5657e62d78916047319dcf554538cdbc048e2620ea4c3c5863fe70c53020

Download Submit
C:\Users\Admin\AppData\Local\Temp\31f002e9-3808-42b2-9ccc-6f2eaba008ea.vbs

Filesize
707B

MD5
3aefb117eea70807d211704bc46ee351

SHA1
10768dfc9cc574a2a1db7ef5be8f83ba60117e4c

SHA256
581c04a81878f2f99aa3e9e5b8d76398ad516460aa4f3702204ac5b7fa0fdb43

SHA512
df57c842ce521bdd15ee372c31190900d8f6b8cc6d1297c7e67429d30dd9af61d5c9479518a1b4bcf5eb505b46969202c62e78e13f830c0b01597b28e25619a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e030cc8-82dc-454e-b8b3-26977a453fad.vbs

Filesize
707B

MD5
db01637c026ce9a9a4976c8da4e8e618

SHA1
87d4fa497f96db93b20b38461e1dc4e995949108

SHA256
0fcdf2c77b3d69218ee2e9d3dcdb71b190aca43249d6da2ab75feb1a9ded8687

SHA512
2452e32e9edc249b6ec6932ea5daa96f4747754606cec36e529d180d62e24ab75f5260ff8773a92ab84eda7a993d5c879293a4ed318d6dda072d4f498a768959

Download Submit
C:\Users\Admin\AppData\Local\Temp\69240a6b-b384-4191-b2fe-46eede6a8b76.vbs

Filesize
705B

MD5
bbd58dad617b4710918eac9242ed1ab6

SHA1
1ec0ab1776dd7452244970f56c0681bfc641fd3f

SHA256
353004ad5925d85c51e4438626c58f4a9b1531af70ffff0038ba934d40c6e0a5

SHA512
176a0ca0ca97bcbb34cfb3d6d6edd304d879cd6baa701f6e8b4af5b932517f1ecf8d9632b01e3ca4499142718c82b5d2cdbfc854a0f64ae01d7363fc57541c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d9c94db-7c80-4d2e-858b-6b75c1423341.vbs

Filesize
707B

MD5
f7a4b683c1d263993e3fc8c5d0f558a4

SHA1
34344d5af134cb12f5290de9e9f8a47d9c964861

SHA256
9b22cc92b29cb2b29b57bd2c903422b53df9d5d013abfed26a06c62907daced9

SHA512
2cb9640e3f43a257e36448e0e7e5d886dc7fc642810aa589fb350158e991fcc74f0d7c068be536ca52fbe14a12d1cdc39ea0ca8a86c0ea2b96effe040b830c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXA643.tmp

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwpmvkh3.uqu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d83b7721-468f-40e5-9dda-051c0e378b19.vbs

Filesize
483B

MD5
c728750d8f331787b1ddead4401150b7

SHA1
5b3496616187f0c68b767461b4151b388e1c7ad6

SHA256
77fa8662a2c02955941ac078d81bc85941524013bad1f6839049833999618b67

SHA512
fc68815d42b190691b90eeffe310a6027b4c9433e3ff3fd8e6dc67eb2acb631dac51f0037ff137e3b5e2a6820c5cf4c74f74512e6ea87a0bcfc339df9adb3eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e86fdf7b-732a-4861-be11-126ca664f2e0.vbs

Filesize
707B

MD5
36a568f4589ff51582fe456fda0a3957

SHA1
32bf0cffb0028699390db647bd3d7e376268ff4b

SHA256
1c04640680cbd22a17b3ebddbb8c5fb34b69096995a34e81d6be8e4a7cd7a83b

SHA512
173965698ede41a048203b6af900f9384763bc3d09954e77d4d34c0515b26d93c7efc168d899b958076436aea03d7e4aeb5208cb84d325222229dc70dfbb7ccc

Download Submit
memory/1888-6-0x0000000002800000-0x0000000002816000-memory.dmp

Filesize
88KB

Download
memory/1888-11-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/1888-13-0x000000001B900000-0x000000001B90E000-memory.dmp

Filesize
56KB

Download
memory/1888-12-0x000000001B8F0000-0x000000001B8FA000-memory.dmp

Filesize
40KB

Download
memory/1888-17-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/1888-16-0x000000001BB30000-0x000000001BB3A000-memory.dmp

Filesize
40KB

Download
memory/1888-15-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/1888-1-0x00000000004A0000-0x0000000000642000-memory.dmp

Filesize
1.6MB

Download
memory/1888-186-0x00007FFC91E00000-0x00007FFC928C1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-14-0x000000001BB10000-0x000000001BB18000-memory.dmp

Filesize
32KB

Download
memory/1888-10-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/1888-9-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/1888-0-0x00007FFC91E03000-0x00007FFC91E05000-memory.dmp

Filesize
8KB

Download
memory/1888-8-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/1888-7-0x000000001B200000-0x000000001B208000-memory.dmp

Filesize
32KB

Download
memory/1888-5-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1888-4-0x000000001B910000-0x000000001B960000-memory.dmp

Filesize
320KB

Download
memory/1888-3-0x00000000027C0000-0x00000000027DC000-memory.dmp

Filesize
112KB

Download
memory/1888-2-0x00007FFC91E00000-0x00007FFC928C1000-memory.dmp

Filesize
10.8MB

Download
memory/4624-129-0x000001D030810000-0x000001D030832000-memory.dmp

Filesize
136KB

Download