Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 13:01

General

  • Target

    3a7eb05a575ea6c0ebd97a42d6a77e66.exe

  • Size

    2.5MB

  • MD5

    3a7eb05a575ea6c0ebd97a42d6a77e66

  • SHA1

    71e362bd1e833c7192c0f93d219f9727f1c98297

  • SHA256

    25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c

  • SHA512

    0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

  • SSDEEP

    49152:dLajZyQosaw6JjUh94mLijLGroai47lLOBTh8YLX/tG6wY0F6SqcCN39XD:cZyQoK2j1mLijicSLeLPeYTNx

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe
    "C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkedXQt8Zz.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2484
        • C:\Users\Default\Start Menu\dllhost.exe
          "C:\Users\Default\Start Menu\dllhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2788
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b929aa3-ca7e-46d0-bbac-729c0accfe4c.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Users\Default\Start Menu\dllhost.exe
              "C:\Users\Default\Start Menu\dllhost.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:2432
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac4c8c9-ba31-49c4-8448-668015cb4ea5.vbs"
            4⤵
              PID:112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2996
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e663" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e66" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e663" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1668
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2844
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1032
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1276
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2312
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1552
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1784
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe

        Filesize

        2.5MB

        MD5

        3a7eb05a575ea6c0ebd97a42d6a77e66

        SHA1

        71e362bd1e833c7192c0f93d219f9727f1c98297

        SHA256

        25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c

        SHA512

        0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

      • C:\Users\Admin\AppData\Local\Temp\4ac4c8c9-ba31-49c4-8448-668015cb4ea5.vbs

        Filesize

        491B

        MD5

        f087d35c522c52601583d36baf9d422a

        SHA1

        aa13c1ab16223c61fd33bbe1e84fe28c52b83c51

        SHA256

        e0962a40eea50c9dcbf2a09d2369b264532ed06c71dfe2486bbc6bee7cd8c1e2

        SHA512

        e93feb917234a7cd5289d8303ae86e0903b6a5a08a8fb1a18acaa0719157eb7da6e2c711e053914e968455050b18eba2e8b8b500cec8399e77d10f681d2f0873

      • C:\Users\Admin\AppData\Local\Temp\7b929aa3-ca7e-46d0-bbac-729c0accfe4c.vbs

        Filesize

        715B

        MD5

        f5498868d27599bbb7ecd41fdd9e4757

        SHA1

        9df73cb7fba2eb02fe6d2618008ea6d67bb1ec4c

        SHA256

        74a9f87e9be97858348424f3b5ad57ff2a911b0819a06bb5ad8ee48cd728f5b1

        SHA512

        60711d032ad81569735ab36898fb457ca14884e448d954ab23045e9e0461403c6a4c44cc0e3a05a64637726785af0051f4e44341bffa4a8b2056d5c6141f95ff

      • C:\Users\Admin\AppData\Local\Temp\pkedXQt8Zz.bat

        Filesize

        204B

        MD5

        62bdb0888ce72121efa720d275652059

        SHA1

        731bf38799839951333aac0f701fadb3b11bf4f3

        SHA256

        e644aecbd868cff834d8d96bf302f2107a77381024a5677b5b762097d7f4f326

        SHA512

        ddc61b7c1c92f9d2a3f80552ed48e6a8478a585d2c9343468509ba35ebee60af2ce181796d2a2abf1a44277ae5d0d2154b6e534f75660ee60608f3278a9aa433

      • memory/2368-14-0x0000000002170000-0x0000000002178000-memory.dmp

        Filesize

        32KB

      • memory/2368-17-0x00000000021A0000-0x00000000021AE000-memory.dmp

        Filesize

        56KB

      • memory/2368-5-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/2368-7-0x0000000000970000-0x00000000009C6000-memory.dmp

        Filesize

        344KB

      • memory/2368-8-0x0000000000420000-0x000000000042C000-memory.dmp

        Filesize

        48KB

      • memory/2368-9-0x0000000000520000-0x0000000000528000-memory.dmp

        Filesize

        32KB

      • memory/2368-10-0x0000000000530000-0x000000000053C000-memory.dmp

        Filesize

        48KB

      • memory/2368-11-0x00000000009C0000-0x00000000009C8000-memory.dmp

        Filesize

        32KB

      • memory/2368-12-0x00000000009D0000-0x00000000009DC000-memory.dmp

        Filesize

        48KB

      • memory/2368-13-0x00000000009E0000-0x00000000009EC000-memory.dmp

        Filesize

        48KB

      • memory/2368-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

        Filesize

        4KB

      • memory/2368-15-0x0000000002180000-0x000000000218C000-memory.dmp

        Filesize

        48KB

      • memory/2368-16-0x0000000002190000-0x000000000219A000-memory.dmp

        Filesize

        40KB

      • memory/2368-6-0x0000000000410000-0x000000000041A000-memory.dmp

        Filesize

        40KB

      • memory/2368-18-0x00000000022B0000-0x00000000022B8000-memory.dmp

        Filesize

        32KB

      • memory/2368-19-0x00000000022C0000-0x00000000022C8000-memory.dmp

        Filesize

        32KB

      • memory/2368-21-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

        Filesize

        9.9MB

      • memory/2368-20-0x00000000022D0000-0x00000000022DC000-memory.dmp

        Filesize

        48KB

      • memory/2368-4-0x00000000003E0000-0x00000000003FC000-memory.dmp

        Filesize

        112KB

      • memory/2368-64-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

        Filesize

        9.9MB

      • memory/2368-3-0x0000000000350000-0x0000000000358000-memory.dmp

        Filesize

        32KB

      • memory/2368-1-0x00000000009F0000-0x0000000000C70000-memory.dmp

        Filesize

        2.5MB

      • memory/2368-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

        Filesize

        9.9MB

      • memory/2432-79-0x0000000001040000-0x00000000012C0000-memory.dmp

        Filesize

        2.5MB

      • memory/2788-68-0x0000000000060000-0x00000000002E0000-memory.dmp

        Filesize

        2.5MB