dcrat | 67023e5eea41ad1c9c1309c6184a031934774c6434715e5def0bd6267d501bbe

Analysis

max time kernel
76s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 13:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe
Size

2.0MB
MD5

c4040c9572e25b68248895c75eeba061
SHA1

1248507d3ce31ecc51ca82857170919e2ea9fe32
SHA256

2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad
SHA512

bb76b3ceaa77014c57be7bc576194a7dc29bb6ad374b69b2e8a96b6deb39f181a3a11ce0eb288936d09ecbb68844cbfc77948c48851b39dd2e1fbca3814d42b0
SSDEEP

24576:lBhv99f9Gs8aOCbzcjWzJC82lwjapmnLwN2Z66Tk862t9mpR:NzfcfgcjWzJmlw+mLwa66Tk86TR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1028	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	1028	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2880-54-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/2880-56-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/2880-58-0x0000000000400000-0x0000000000524000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2724	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	InstallUtil.exe
File created	C:\Program Files\Common Files\csrss.exe	InstallUtil.exe
File created	C:\Program Files\Windows Portable Devices\InstallUtil.exe	InstallUtil.exe
File created	C:\Program Files\Windows Portable Devices\d045ef90dc24d9	InstallUtil.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	InstallUtil.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\spoolsv.exe	InstallUtil.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\f3b6ecef712a24	InstallUtil.exe
File created	C:\Program Files\Common Files\886983d96e3d3e	InstallUtil.exe
File created	C:\Program Files (x86)\Windows Portable Devices\InstallUtil.exe	InstallUtil.exe
File created	C:\Program Files (x86)\Windows Portable Devices\d045ef90dc24d9	InstallUtil.exe
File opened for modification	C:\Program Files\Windows Portable Devices\InstallUtil.exe	InstallUtil.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe	InstallUtil.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\69ddcba757bf72	InstallUtil.exe

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2260	schtasks.exe
1084	schtasks.exe
1708	schtasks.exe
2680	schtasks.exe
2064	schtasks.exe
2772	schtasks.exe
1656	schtasks.exe
2468	schtasks.exe
2208	schtasks.exe
3052	schtasks.exe
2276	schtasks.exe
2616	schtasks.exe
2472	schtasks.exe
2500	schtasks.exe
1936	schtasks.exe
2156	schtasks.exe
2732	schtasks.exe
2740	schtasks.exe
2516	schtasks.exe
2992	schtasks.exe
1100	schtasks.exe
1876	schtasks.exe
240	schtasks.exe
2116	schtasks.exe
1720	schtasks.exe
3044	schtasks.exe
2996	schtasks.exe
1964	schtasks.exe
2224	schtasks.exe
2624	schtasks.exe
1116	schtasks.exe
2812	schtasks.exe
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2880	InstallUtil.exe
2880	InstallUtil.exe
2880	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	InstallUtil.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 3008 wrote to memory of 2880	3008	2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe	29
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64
PID 2880 wrote to memory of 2724	2880	InstallUtil.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe
"C:\Users\Admin\AppData\Local\Temp\2daebd8dfaff129627b1e4b6f8dc3df6ffa6e48035fa2806bfad550d8980fdad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe
    "C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe"
    3⤵
    - Executes dropped EXE
    PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\InstallUtil.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtil" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a3f43a2-19f3-11ee-a7ec-52ff6c828047\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\InstallUtil.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtil" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\es-ES\spoolsv.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d7245402b9853a8e390552ba45b3a6b4\smss.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/2724-90-0x0000000001140000-0x000000000114C000-memory.dmp

Filesize
48KB

Download
memory/2880-54-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2880-56-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2880-58-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2880-59-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/2880-60-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2880-67-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download